<
div class=”field field–name-body field–type-text-with-summary field–label-hidden”>
<
div class=”field__items”>
<
div class=”field__item even”>
When Let’s Encrypt, a free certificate authority, started issuing 90 day TLS certificates for websites, it was considered a bold move that helped push the ecosystem towards shorter certificate life times. Beforehand, certificate authorities normally issued certificate lifetimes lasting a year or more. With 4.0, Certbot is now supporting Let’s Encrypt’s new capability for six day certificates through ACME profiles and dynamic renewal at:
- 1/3rd of lifetime left
- 1/2 of lifetime left, if the lifetime is shorter than 10 days
There’s a few, significant reasons why shorter lifetimes are better:
- If a certificate’s private key is compromised, that compromise can’t last as long.
- With shorter life spans for the certificates, automation is encouraged. Which facilitates robust security of web servers.
- Certificate revocation is historically flaky. Lifetimes 10 days and under prevent the need to invoke the revocation process and deal with continued usage of a compromised key.
There is debate on how short these lifetimes should be, but with ACME profiles you can have the default or “classic” Let’s Encrypt experience (90 days) or start actively using other profile types through Certbot with the --preferred-profile and --required-profile flags. For six day certificates, you can choose the “shortlived” profile.
These new options are just the beginning of the modern features the ecosystem can support and we ar
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: