How do I get a certificate for greater than 3 months ? Happy to pay.
Info is not easily found @ letsEncrypt.org ! Can the powers that be direct me to where I can find such info ?! ( Shut up and take my money 
)
You can't, not from Let's Encrypt.
Other CAs will be happy to sell you one, though 
1 Like
It's in the FAQ: FAQ - Let's Encrypt
2 Likes
You can get one from BuyPass Go for 180 days but everyone else (running free ACME services) is 90 days.
It also raises the question of why you want a long lived certificate? You should/must automate certificates used for production systems, so the lifecycle of the individual certificate shouldn't matter.
4 Likes
This.
Up until recently the maximum and minimum certificate lifetime was 90 days.
Now there's a CA that allows you to ask for shorter lifetimes (less than three days is "discouraged").
@joe-oli tell us your needs, we might be able to help you.
3 Likes
Nothing fancy, in the same way I can get a 1 yr or 2 yr certificate from Digicert, that's what I am looking for; just want to install it on IIS (Windows WebServer) and be done with it for the year (or 2 years) - I don't know why everyone keeps saying "yeah automation is good, yeah 3 months is a good" Go and look at microsoft.com, or ibm.com, or redhat.com, the cert is for a full 1 year 
At the risk of (more) self promotion, have you tried https://certifytheweb.com - it'll do what you want with IIS but using 90 day certs that are auto renewed (other ACME clients are available).
You can indeed get 1 yr (or greater) certs via DigiCert, SSL.com etc but they are generally manually installed (they can be automated too, but people don't always bother with automation for long term certs).
3 Likes
Yeah ok thanks, I'll take a look at your suggested CA.
[EDIT: Ok, you are not a CA, you are selling an automation tool. All the best, but I'll do it manually]
1 Like
And Google uses a cert valid for less than 3 months, so what's your point? Exactly, what others do is not a very good argument if you'd ask me.
If you read the link in the FAQ item I posted earlier, you would have seen some arguments for short cert lifetime and, with that, automation: Why ninety-day lifetimes for certificates? - Let's Encrypt
Certify The Web also has a free version. If you don't like Certify the web, you can choose from a broad range of other ACME clients: ACME Client Implementations - Let's Encrypt
Why?
4 Likes
Have you seen google.com? facebook.com? mozilla.org?
You know they make browsers and serve the biggest websites of the internet, right?
4 Likes
You actually can't get certificates for 2 years anymore; the general limit from any CA right now is currently 398 days (just over 1 year 1 month).
7 Likes
Correct. The CA/Browser Forum Baseline Requirements Documents (SSL/TLS Server Certificates)
Is clearly stated in 6.3.2 Certificate operational periods and key pair usage periods
https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.4.pdf
3 Likes
What is your actual goal, though? I assume you're not trying to get a year-long certificate just to have a year-long certificate.
1 Like
Oh yes, that is exactly what I am trying to do, set and forget. If it's good enough for microsoft.com, ibm.com, etc etc.. then it's good enough for me.
Trust me, automation is set it and forget. I setup my webserver ages ago and it automatically renews and reloads every 60 days like clockwork.
With automation it doesn't matter whether it's 90 days, 1 year, or 1 week. I haven't had to mess with certificates in ages beyond configuring it to get more, or no longer get ones I don't need anymore.
3 Likes
Please appreciate the following:
- Manual one year cert after one year: "Darn, my website is down due to the expired cert, I forgot, now I have to manually renew it again!"
- Automated cert, lifetime irrelevant, after 5 years: "Oh, I forgot it's there, because it just always renews automatically and I don't have to do anything about it."
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.