(letsencrypt.org)

197 points SGran | 2 comments | 16 Jan 25 15:36 UTC | HN request time: 0.404s | source

Show context

lmz ◴[17 Jan 25 01:21 UTC] No.42733023[source]▶

While we're on the subject of cert lifetimes. Is there a longer lived, public CA-issued cert for TLS client purposes?

I sometimes deal with a relying party that insists on public CA issued certs for TLS client use, and then makes rotation very painful behind a portal with 2FA etc. This would be fine if public CAs issued certs for 5 years but they seem to be limited to 1 year now because of browser policy.

replies(1): >>42751595 #

1. nickf ◴[18 Jan 25 21:33 UTC] No.42751595[source]▶

>>42733023 #

Server certs will be losing the clientAuth EKU this year, so those will be out. SMIME certs may start to drop it too. I don’t know many CAs that will do a clientAuth only cert from a public CA, largely because it’s unnecessary. If it’s for auth, use a private CA.

replies(1): >>42755000 #

2. lmz ◴[19 Jan 25 08:11 UTC] No.42755000[source]▶

>>42751595 (TP) #

> Server certs will be losing the clientAuth EKU this year, so those will be out.

Is this documented anywhere?

↑

Six day and IP address certificate options in 2025