Shorter validity period for certificates


#1

I’m a big fan of the 90 day validity on certificates that Let’s Encrypt issues but I’d love to see the option to reduce that.

Are there plans to support this?


Shorter certificate lifetimes
#2

At which point does OCSP become obsolete? :slight_smile: Let’s just issue certs every 7 days.


#3

I’d love to see a certificate validity period short enough to make OCSP redundant but I think OCSP will be around for a very long time. If Let’s Encrypt could handle the load of 7 day certificates that’d be awesome! Even 2 month and 1 month options would be good for now.


#4

Such a proposal has been made, but did not make it into the Baseline Requirements, I can’t remember it got as far as a vote and was defeated or if its lack of support was obvious enough that it never made it to a vote.

Part of the rationale is that short-lived certificates would be smaller, since they needn’t carry information on where to find a CRL or OCSP response.


#5

No short-term plans but it’s something we’ve talked about wanting to support.


#6

I can give a bit more information about our current thinking, though nothing has been decided yet.

Our current API endpoint offers only 90-day certificates, no option for longer or shorter. It’s very unlikely that we will change the lifetime or offer more options on this API endpoint.

At some point, ideally in 2017, we’ll introduce a new API endpoint which implements the final IETF ACME spec. It will initially run alongside our original API endpoint. This new API endpoint will likely have a shorter maximum (default) certificate lifetime. We haven’t decided how much shorter the max/default will be, but it will likely be incremental in nature rather than something drastic. I suspect we will initially just shorten the max/default lifetime and add an option for shorter variable lifetimes later on.

At some point we will retired the original API endpoint and all subscribers will have to use the new API endpoint. I suspect this won’t happen until at least a year after the new API endpoint is available.

Things we take into consideration when considering lifetimes:

  1. Do people have the tools they need? The ACME clients out there are getting better and more numerous every day. Their automation support is getting better. Once a tool is good at automating renewal then it doesn’t matter much how often certificates are renewed – up to a point, at least. The better the client ecosystem is the more comfortable we get with shorter lifetimes.

  2. Can we handle the load? We have to make sure we’re ready for any additional load that shorter lifetimes will create.

  3. Regarding whether or not to offer optional shorter lifetimes than the default, there would be some work involved on our side to implement the option and associated policy, and we’d sacrifice the convenience of being able to assume that every certificate has exactly the same lifetime (as of right now, afaik, every single certificate we’ve ever issued, no exceptions, has a 90 day lifetime).


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.