LetsEncrypt – Expiration Notification Service Has Ended

(letsencrypt.org)

181 points zdw | 1 comments | 30 Jun 25 04:49 UTC | HN request time: 0.211s | source

Show context

whatever1 ◴[30 Jun 25 08:51 UTC] No.44420959[source]▶

>>44419496 (OP) #

Is it the right time to rant about the cert expiration as a concept? I understand why certs might be revoked. But expire?

replies(7): >>44421005 #>>44421014 #>>44421298 #>>44421364 #>>44421391 #>>44421714 #>>44421852 #

scrapheap ◴[30 Jun 25 09:55 UTC] No.44421364[source]▶

>>44420959 #

Revoking certificates and expiring certificates tackle two different security issues.

You revoke a certificate when you believe that it might have been compromised. Expiring certificates helps protect you when you've unknowingly been compromised.

So let's say that one of your employees accidentally pushed a private key for one of your certificates up to GitHub and you notice it. That's when you should immediately rotate that certificate and revoking the old one.

Now let's say that the same thing happened but you didn't notice. That's where the certificate expiring comes into play. For a Lets Encrypt certificate there's currently going to be a maximum of 90 days where someone could find that private key and work out a way to exploit it, after that period the certificate would have expired and no longer be being used.

replies(1): >>44428193 #

whatever1 ◴[30 Jun 25 21:39 UTC] No.44428193[source]▶

>>44421364 #

If expiring certificates offer some sort of security shouldn’t they be expiring after milliseconds?

If I had compromised the Bank of America servers a couple of minutes would suffice to collect a ton of password combinations.

replies(1): >>44431332 #

1. scrapheap ◴[01 Jul 25 07:04 UTC] No.44431332[source]▶

>>44428193 #

They are slowly reducing the period that certificates are valid for, not to the degree of milliseconds, but certainly to the point that renewing them will need to be automated.

↑