There are sometimes legitimate use-cases for requesting certificates valid for less than 90d. Also in previous communications, you've mentioned you're looking into shortening validity periods in the future. Do you have any update on the plans? Would you be open to supporting it?
The most related post I found is from 2017, but the realities were different then (e.g. LE was sill using the draft ACME version): Shorter validity period for certificates - #6 by josh
The LetsEncrypt staff shared some insight into this with the Community Moderators earlier this year. It is still on their radar and something they want to offer, but it is not likely to happen in the near future. They have a backlog of higher priority items to get through, and will then have to address some staffing implications before offering this.
It seems that ISRG is basically at an operational sweet spot of 90 day lifetimes right now. As shorter lifetimes will mean more certificates, higher server load, and would make any outage even more critical, they would need to staff up engineering resources to handle everything with the same level of attention and reliability. They don't want to overextend their personnel.
If you're just looking for any free ACME CA that supports shorter lifetimes, Google Trust Services already does via the Certificate Manager Public CA feature in Google Cloud. However, your ACME client needs to be able to support sending the necessary
notAfter fields in some form or another which not all currently do.
You can go as low as 1 day lifetime with Google, but they recommend no shorter than 3 days.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.