this post was submitted on 15 Apr 2025
134 points (97.9% liked)

Sysadmin

8897 readers
6 users here now

A community dedicated to the profession of IT Systems Administration

No generic Lemmy issue posts please! Posts about Lemmy belong in one of these communities:
!lemmy@lemmy.ml
!lemmyworld@lemmy.world
!lemmy_support@lemmy.ml
!support@lemmy.world

founded 2 years ago
MODERATORS
DarraignTheSane@lemmy.world
00Lemming@lemmy.world
L3s@lemmy.world
134
TLS Certificate Lifetimes Will Officially Reduce to 47 Days (in 2029) (www.digicert.com)
submitted 2 weeks ago by JRaccoon@discuss.tchncs.de to c/sysadmin@lemmy.world
35 comments fedilink hide all child comments
 

From today until March 15, 2026, the maximum lifetime for a TLS certificate is 398 days.

As of March 15, 2026, the maximum lifetime for a TLS certificate will be 200 days.

As of March 15, 2027, the maximum lifetime for a TLS certificate will be 100 days.

As of March 15, 2029, the maximum lifetime for a TLS certificate will be 47 days.

What's everyone's opinion on this? I think from a security standpoint their reasoning is valid and in many cases it's very easy to automate the renewal with ACME or something else. But there's likely gonna be legacy stuff still around in 2029 that won't be easy to automate.

you are viewing a single comment's thread
view the rest of the comments
[–] enumerator4829@sh.itjust.works 67 points 2 weeks ago (3 children)

This will be so much fun for people with legacy systems

[–] mosiacmango@lemm.ee 34 points 2 weeks ago* (last edited 2 weeks ago) (2 children)

Self signed certs about to get even more popular.

[–] enumerator4829@sh.itjust.works 13 points 2 weeks ago

Tony Stark was able to build his CA in a cave! With a bunch of dice!

[–] SecureTaco@lemmy.asc6.org 3 points 2 weeks ago (1 children)

Self signed certs still have to abide. It’s the browser that checks it not the issuer. Now granted in most cases you already get a non trusted warning that most sysadmins skip…

[–] Zeoic@lemmy.world 4 points 2 weeks ago (2 children)

The cert is what tells the browser how long it lasts, so I'm not sure how the browser can stop you from using a 10 year self signed cert or one from your own CA

[–] catloaf@lemm.ee 3 points 2 weeks ago (1 children)

If the browser sees it expires too far in the future, it could throw a warning or error.

I doubt any of them will actually do it, but it's possible.

[–] prime_number_314159@lemmy.world 4 points 2 weeks ago

Most browsers do this for certs with a lifetime longer than 398 days issued after 2020, which is one aspect of why so many websites use a 1 year validity period for their certs.

[–] Valmond@lemmy.world 1 points 2 weeks ago

Or just spin up a new one all the time?

[–] unexposedhazard@discuss.tchncs.de 10 points 2 weeks ago

This way it will gradually ramp up the pain tho. If they went straight to 47 days, basically the entire internet would be gone for a few days.

[–] possiblylinux127@lemmy.zip 2 points 2 weeks ago

Self signed certs still support longer time frames

If you need to expose a legacy system to the internet we have bigger issues