Six day and IP address certificate options in 2025

(letsencrypt.org)

197 points SGran | 1 comments | 16 Jan 25 15:36 UTC | HN request time: 0.318s | source

Show context

rickette ◴[16 Jan 25 19:32 UTC] No.42729799[source]▶

Kinda funny to call the current 90 day certs "long lived". When Let's Encrypted started out more than 10 years ago most certs from major vendors had a 1 year life span. Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.

replies(3): >>42730254 #>>42730324 #>>42735256 #

KronisLV ◴[17 Jan 25 08:26 UTC] No.42735256[source]▶

>>42729799 #

> Let's Encrypt was (one of) the first to use drastically shorter life spans, hence all the ACME automation effort.

Surely there are tradeoffs in having to rotate the certs that often, right? Notably, considerable load on their infrastructure. I get that urging people to automate their renewals makes sense (though I've also heard people unironically saying: "I want it to be a manual process, so I know how it works instead of relying on some black box"), but it seems that shorter and shorter cert lifetimes might put more strain on a service that nigh everyone seems to just be using for free.

Edit: at least there are a lot of prominent companies here https://letsencrypt.org/sponsors/

replies(1): >>42735880 #

1. raihansaputra ◴[17 Jan 25 10:01 UTC] No.42735880[source]▶

>>42735256 #

I just looked into OCSP and their planned sunsetting of their OCSP server, and it seems like they'd much rather scale this as their core activity than provide/maintain/scale other stuff like the OCSP service.

↑