TLS Certificate Lifetimes Will Officially Reduce to 47 Days
www.digicert.com
The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.

From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.

As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.

As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.

As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

What’s everyone’s opinion on this? I think from a security standpoint their reasoning is valid and in many cases it’s very easy to automate the renewal with ACME or something else. But there’s likely gonna be legacy stuff still around in 2029 that won’t be easy to automate.

    • JRaccoon@discuss.tchncs.deOPEnglish
      1·
      2 months ago

      Oh, I agree. This change will affect all CAs however. And their post seemed to contain the most amount of information.

      • SecureTaco@lemmy.asc6.orgEnglish
        1·
        2 months ago

        Self signed certs still have to abide. It’s the browser that checks it not the issuer. Now granted in most cases you already get a non trusted warning that most sysadmins skip…

        • Zeoic@lemmy.worldEnglish
          0·
          2 months ago

          The cert is what tells the browser how long it lasts, so I’m not sure how the browser can stop you from using a 10 year self signed cert or one from your own CA

          • catloaf@lemm.eeEnglish
            1·
            2 months ago

            If the browser sees it expires too far in the future, it could throw a warning or error.

            I doubt any of them will actually do it, but it’s possible.

            • prime_number_314159@lemmy.world
              1·
              2 months ago

              Most browsers do this for certs with a lifetime longer than 398 days issued after 2020, which is one aspect of why so many websites use a 1 year validity period for their certs.

  • Admiral Patrick@dubvee.org
    English
    0·
    2 months ago

    Are compromised private keys that much of a problem in the real world to merit such a pain in the ass, heavy handed “solution”? On paper, sure, it makes sense. In practice, you’re forcing people to complicate the process by introducing, until now, unnecessary automation and introducing the possibility of brand new points of vulnerability.

    I say this as someone who does maintain legacy systems (i.e. systems), so take it with a very angry, frazzled grain of salt. But I’ve done this for years decades and many, many systems and to my knowledge, I’ve never had a compromised private key.

    This just seems like people who constantly lose their house keys mandating that everyone else change their locks as often as they do.

    • WhyJiffie@sh.itjust.worksEnglish
      1·
      2 months ago

      are you sure this mandates always using a new private key? I think I have read that they don’t. how would you verify that anyway?