I’ll add another problem with the 90-day lifetime. I have the following:
- Linux Server with Apache which uses: PEM, CERT, CHAIN
- Within my Linux server I have several Java programs which use: JKS
- A Windows Server - PFX (with password for private key)
- A media server on a different Windows 10 machine - PFX (no password)
As I’m sure you can imagine, I’m not really interested in keeping these various parts updated every 90 days.
The problem, to me, is that the Let’s Encrypt use case is a single server or, I guess, many servers all running the same operating system and all referencing the exact same SSL certificate. In that case, sure, there’s no big deal for a 90-day auto renew.
But what about my use case? Multiple machines with different OSes none of which speak the same SSL language. All of a sudden, it’s not such an automatic process at all but rather a tedious manual one.
For the automation to work, at least in my case, Let’s Encrypt would need to not only renew the certificates but convert and properly propagate them as well. As this seems like a large ask at this point, a longer timeframe seems like a reasonable alternative. Doing this once every two or three years, okay. Every 3 months? Ugh, forget it.