2021.06.08 Certificate Lifetime Incident (valid for an extra one second)

Let’s Encrypt is well-known for issuing certificates that are valid for only 90 days. Since the very first certificates issued by Let’s Encrypt’s infrastructure, those certificates have been given a 90 day validity period by our CA software by taking the issuance time and adding exactly 2,160 hours to yield the certificate’s “not after” date. However, RFC 5280 defines the validity period of a certificate as being the duration between the “not before” and the “not after” timestamps, inclusive. This inclusivity means that Let’s Encrypt’s certificates have all been actually valid for 90 days plus 1 second.

You can read more about this incident here:

17 Likes