Pros and cons of 90-day certificate lifetimes

I’ve always been against pinning as it causes problems when you want to quickly change algorithm after a vulnerability has been detected and ultimately offers little benefit if you trust the trust model. We fell foul of this at work where we needed to change from sha1 certificates, but other teams using our service were pinning on our old certificate - These teams had native desktop applications which has no forced update method even within a longer period such as 6 months.

Additionally not rotating the keys frequently negates one of the main security benefits of using short durations so for these reasons I would be against the proposition of retaining the keys, especially as a default option.

1 Like