- cross-posted to:
- [email protected]
- [email protected]
- [email protected]
- cross-posted to:
- [email protected]
- [email protected]
- [email protected]
You must log in or register to comment.
The most-aggressively short timelines don’t apply until 2029. Regardless, now is the time to get serious about automation. That is going to require vendors of a lot of off-the-shelf products to come up with better (or any) automation integrations for existing cert management systems or whatever the new standard becomes.
The current workflow many big orgs use is something like:
-
Poor bastard application engineer/support guy is forced to keep a spreadsheet for all the machines and URLs he “owns” and set 30-day reminders when they will expire,
-
manually generate CSRs,
-
reach out to some internal or 3rd party group who may ignore his request or fuck it up twice before giving him correct signed certs,
-
schedule and get approval for one or more “possible brief outage” maintenance windows because the software requires manually rebinding the new certs in some archaic way involving handjamming each cert into a web interface on a separate Windows box.
As the validity period shrinks and the number of environments the average production application uses grows, the concept of doing these processes manually becomes a total clusterfuck.
I’m that poor bastard engineer at my company. This likely will be the push we need to prioritize automation. Dealing with manual renewals with Digicert has been a pain in the ass. If anyone has experience with their automated option I’d love to hear it.
Ironically the shortening of cert lengths has pushed me to automated systems and away from the traditional paid trust providers.
I used to roll a 1-year cert for my CDN, and manually buy renewals and go through the process of signing and uploading the new ones, it wasn’t particularly onerous, but then they moved to I think either 3 or 6 months max signing, which was the point where I just automated it with Let’s Encrypt.I’m in general not a fan of how we do root of trust on the web, I much prefer had DANE caught on, where I can pin a cert at the DNS level that is secured with DNSSEC and is trusted through IANA and the root zone.
I’ve proposed using Let’s Encrypt but my coworkers believe there would be a perception issue with us using a “free” TLS certificate provider. I work for a popular internet search engine so it’s a reasonable worry.
It just seems like LE has the most efficient automatic renewal setup, though I haven’t looked in detail at other providers.
That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let’s encrypt is bad because it’s free?
-
Why 47 Days? 47 days might seem like an arbitrary number, but it’s a simple cascade:
200 days = 6 maximal month (184 days) + 1/2 30-day month (15 days) + 1 day wiggle room 100 days = 3 maximal month (92 days) + ~1/4 30-day month (7 days) + 1 day wiggle room 47 days = 1 maximal month (31 days) + 1/2 30-day month (15 days) + 1 day wiggle room
Simple cascade, but it goes from +15 to +7 to +15 lol
This will be a huge pain for the small business websites I administer, which really don’t need SSL to begin with except to please Google.
If you’re truly unaware of why TLS is necessary or how to automate the process then you should probably retire.
Archaic attitudes like yours are precisely why these restrictions are necessary.
Exactly. Setting up Let’s Encrypt is really easy, and once it’s set up, you don’t have to think about it.
I did it for self-hosted stuff, and it’s trivial. You can even do DNS challenge auth instead of HTTP and you don’t need to have port 80 open at all, but you do need a login token for your DNS host for the script.
The first one will probably take an hour or two if it’s your first time, and after that, it’s maybe 5 min per site.
Exactly. Setting up Let’s Encrypt is really easy, and once it’s set up, you don’t have to think about it.
That’s what I thought. And now I need to figure out how to update it for 47 day cycles.
I have mine check daily, which is the default and is recommended. It only actually updates when it’s close to renewal, so I never need to care how short the renewal period is.
Nice, having to renew the EV cert and upload it every month manually to all our hardware load balancer will be a great pleasure ! Thank you Apple ! /s
EV certs are mostly bullshit in my opinion
Yeah I think they’re generally regarded as a mistake, browsers have removed all the UI signifying an EV cert these days.
