Cert from LetsEncrypt for greater than 3 months?

How do I get a certificate for greater than 3 months ? Happy to pay.

Info is not easily found @ letsEncrypt.org ! Can the powers that be direct me to where I can find such info ?! ( Shut up and take my money :rofl::heart_eyes:)

You can't, not from Let's Encrypt.

Other CAs will be happy to sell you one, though :smiley:

1 Like

It's in the FAQ: FAQ - Let's Encrypt

2 Likes

You can get one from BuyPass Go for 180 days but everyone else (running free ACME services) is 90 days.

It also raises the question of why you want a long lived certificate? You should/must automate certificates used for production systems, so the lifecycle of the individual certificate shouldn't matter.

4 Likes

This.

Up until recently the maximum and minimum certificate lifetime was 90 days.

Now there's a CA that allows you to ask for shorter lifetimes (less than three days is "discouraged").

@joe-oli tell us your needs, we might be able to help you.

2 Likes

Nothing fancy, in the same way I can get a 1 yr or 2 yr certificate from Digicert, that's what I am looking for; just want to install it on IIS (Windows WebServer) and be done with it for the year (or 2 years) - I don't know why everyone keeps saying "yeah automation is good, yeah 3 months is a good" Go and look at microsoft.com, or ibm.com, or redhat.com, the cert is for a full 1 year :stuck_out_tongue_winking_eye:

At the risk of (more) self promotion, have you tried https://certifytheweb.com - it'll do what you want with IIS but using 90 day certs that are auto renewed (other ACME clients are available).

You can indeed get 1 yr (or greater) certs via DigiCert, SSL.com etc but they are generally manually installed (they can be automated too, but people don't always bother with automation for long term certs).

3 Likes

Yeah ok thanks, I'll take a look at your suggested CA.
[EDIT: Ok, you are not a CA, you are selling an automation tool. All the best, but I'll do it manually]

1 Like

And Google uses a cert valid for less than 3 months, so what's your point? Exactly, what others do is not a very good argument if you'd ask me.

If you read the link in the FAQ item I posted earlier, you would have seen some arguments for short cert lifetime and, with that, automation: Why ninety-day lifetimes for certificates? - Let's Encrypt

Certify The Web also has a free version. If you don't like Certify the web, you can choose from a broad range of other ACME clients: ACME Client Implementations - Let's Encrypt

Why?

4 Likes

Have you seen google.com? facebook.com? mozilla.org? :smiley:

You know they make browsers and serve the biggest websites of the internet, right?

3 Likes

You actually can't get certificates for 2 years anymore; the general limit from any CA right now is currently 398 days (just over 1 year 1 month).

7 Likes

Correct. The CA/Browser Forum Baseline Requirements Documents (SSL/TLS Server Certificates)

Is clearly stated in 6.3.2 Certificate operational periods and key pair usage periods
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf

3 Likes

What is your actual goal, though? I assume you're not trying to get a year-long certificate just to have a year-long certificate.

Oh yes, that is exactly what I am trying to do, set and forget. If it's good enough for microsoft.com, ibm.com, etc etc.. then it's good enough for me.

Trust me, automation is set it and forget. I setup my webserver ages ago and it automatically renews and reloads every 60 days like clockwork.

With automation it doesn't matter whether it's 90 days, 1 year, or 1 week. I haven't had to mess with certificates in ages beyond configuring it to get more, or no longer get ones I don't need anymore.

3 Likes

Please appreciate the following:

  • Manual one year cert after one year: "Darn, my website is down due to the expired cert, I forgot, now I have to manually renew it again!"
  • Automated cert, lifetime irrelevant, after 5 years: "Oh, I forgot it's there, because it just always renews automatically and I don't have to do anything about it."
3 Likes