In addition to encouraging automation, if someone steals your certificate's private key, they only have 90 days maximum to abuse it instead of 1 year.
Not to mention things like the SHA-1 deprecation effort. When SHA-1 was declared insecure, it took 5 years to completely retire it since that was the maximum validity date. The shorter certificates are, the easier it is to keep them secure.
Also it gets awkward when a domain doesn't get renewed or gets transferred to somebody else, but there are existing long-lived certificates that the old owner has. This is part of why the industry has been moving to shorter certificates in general.
Yes I see the logic in what you say about a shorter life span for the certificate helping to maintain security.
So I'm now on the lookout for another hosting company to host my existing website, one that provides free security certificates. I have had a look at the list on Lets Encrypt for those that automatically implement the SSL certificate. I don't think any of them are based in the UK. Although I'm not sure if it matters that the servers are in Europe rather than the UK.
Thanks for your help and advice
Hi @Rickybecker,
It might be useful if the hosting provider list included countries! Especially because some people might have regulatory requirements, or preferences, to use providers based in their own jurisdictions. Or in other cases, not in their own jurisdictions, if they're going to run sites that would upset their home countries' governments.
I looked at the HTML source of the current hosting provider list and found that these providers have .co.uk domains:
https://www.ngagehosting.uk/ (this one doesn't seem to resolve!)
https://www.nuttyabouthosting.co.uk/
https://voteq.co.uk
https://www.webhostuk.co.uk/
In addition, although their domain isn't .co.uk, I happen to know from watching a presentation by one of their staff on a different technical topic that Mythic Beasts (which is also on that list)
is based in the UK.
I personally recommend most small sites just use Cloudflare (free) to host their DNS - you can still use the same web host and registrar they just host your DNS and proxy your web requests. The immediate benefit is that they automatically provide https for your site so it's especially useful if your web control panel makes https difficult.
My concern with Cloudflare is that they decrypt all frontend traffic then (hopefully) reencrypt it before sending it to the backend. Then again, anytime a private key exists on a hosted server, it's effectively no different. 
Can I get a Cloudflare service that actually presents MY certificate to my visitors? 
Yes, but that's a paid service. But again, they have the private key--they have to in order to do their CDN thing.
Then it's not really my certificate then. 
I guess that's a question of definitions. But I don't think it's possible to do the CDN thing without the CDN having the private key for the (or at least "a") cert belonging to the FQDN in question.
I know that as things stand it would severely complicate establishment of secure sessions and completely decimate the efficiency of static content caching mechanisms outside of the origin server. One can wish though. 
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.