Short-lived certificates

Is there any way to get short-lived certificates already? It seems unlikely that profiles will make it to production before OCSP (and therefore must-staple) support is dropped. Are we just stuck with long-lived certificates for a while?

1 Like

Not from Let's Encrypt.

Google supports variable cert lifetime using their ACME service and I think it goes as low as 7 days.. But I've never used the Google ACME CA, because I think there are some requirements to be able to use it.. (Probably need to be a Google customer..) See Public CA  |  Certificate Manager  |  Google Cloud for more info.

1 Like

I think they're aware of and trying to make profiles happen before OCSP goes away, though they don't want to promise anything yet. Their most recently stated timeline is for early-adopters to be getting short-lived certs in April, though there's no information yet on how to get signed up as an early adopter. I think the main thing that could make things more difficult is how quickly popular clients will get updated to support profiles, and to handle renewal scheduling for shorter certs (through ARI or just through being smart about looking at issued certificate lifetime).

As @Osiris stated, Google CA allows for shorter certificates (and I believe is free, though one would need to sign up for a Google Cloud account and I haven't done any testing myself). ZeroSSL also offers free ACME 90-day certificates, and I've heard they support must-staple and I haven't heard of any plans for them to remove OCSP, but they may just not be as proactive as Let's Encrypt is being.

4 Likes

The former Must-Staple users are a likely candidate set? :slight_smile:

3 Likes

Yep, the above replies are generally correct. It's not possible to request a short-lived certificate yet. We'll be providing more information when it does become possible. We're not making any guarantees that it will be possible before OCSP Must-Staple goes away: while I agree that it would be nice for that to be the case, these are two different projects operating on different timelines under different pressures, so lining them up in that way is not guaranteed.

5 Likes

They technically go as low as 1 day, but their docs suggest not going lower than 3. But you'll need a client that supports sending notBefore/notAfter in the new order process.

Google's certs are free, but do require having a Google Cloud account (which itself might require having a payment method on file) to create the necessary EAB credential.

5 Likes