| Mailing List ecs-isp@2rosenthals.com Archived Message #1329 |
back to list |
| From: |
"Lewis G Rosenthal" <ecs-isp@2rosenthals.com> |
Full Headers
Undecoded message |
| Subject: |
Re: [eCS-ISP] SSL cert lifetime |
| Date: |
Sat, 16 May 2026 17:28:25 -0400 |
| To: |
eCS ISP Mailing List <ecs-isp@2rosenthals.com> |
|
|---|
Much as I hate to admit it, other than the 17 days, the convenience
of having a script do the cert updates from LE would be a
tie-breaker - though I am still uneasy about LE (less so after this
much time, I guess).
This short lifespan is a killer for all commercial CAs, as that has
been their main attraction since LE went sort of mainstream (10
years ago, they started with 90-day certs, and that was a PITA vs
2-year certs; now all lifespans have shortened, but 17 days is
probably not worth the cost).
On 05/15/26 09:47 am, Andy Willis
wrote:
I saw the same from digicert. I raised the suggestion of
changing to letsencrypt. Only 30 days but free so why pay a
high premium for 17 additional days.
Thought I'd share this
bit of news from Starfield Tech regarding cert
lifetimes. I am assuming this will pertain to all CAs over
the next few years.
8<-------------------- snip -------------------->8
The entire SSL Industry is undergoing a requirement to
shorten SSL/TLS
validity duration from 398 days to 47 days. The first
phase has started and
validity is now 200 days. This will again change to 100
days by March 2027
and finally to 47 days by March 2029.
What does this mean for you? Instead of re-installing your
certificate 1x
per year, that frequency will begin to increase. Starting
later this year in
approximately 180-200 days you'll need to repeat this
action - and then
again more frequently in 2027 through 2029.
8<-------------------- snip -------------------->8
Oh, joy.
Further details are given in this "handy" article on their
site:
https://www.secureserver.net/help/why-are-ssl-certificate-validity-periods-changing-42816
The whole argument about shorter cert lives being more
secure is a tough one
for me, given the availability of OCSP stapling and other
validation/revocation methods. Oh, well.
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
-------------------------------------------------------------
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message is sent to you because you are subscribed to
the mailing list <ecs-isp@2rosenthals.com>.
To unsubscribe, E-mail to: <ecs-isp-off@2rosenthals.com>
To switch to the DIGEST mode, E-mail to <ecs-isp-digest@2rosenthals.com>
To switch to the INDEX mode, E-mail to <ecs-isp-index@2rosenthals.com>
Send administrative queries to <ecs-isp-request@2rosenthals.com>
To subscribe (new addresses), E-mail to: <ecs-isp-on@2rosenthals.com> and
reply to the confirmation email.
Web archives are publicly available at: http://lists.2rosenthals.com
This list is hosted by Rosenthal & Rosenthal, LLC
P.O. Box 281, Deer Park, NY 11729-0281. Non-
electronic communications related to content
contained in these messages should be directed
to the above address. (CAN-SPAM Act of 2003)
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC www.2rosenthals.com
visit my IT blog www.2rosenthals.net/wordpress
-------------------------------------------------------------