this post was submitted on 17 Apr 2025
200 points (98.1% liked)

Technology

69391 readers
2726 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
L4s@hackingne.ws
200
TLS Certificate Lifetimes Will Officially Reduce to 47 Days (www.digicert.com)
submitted 1 week ago by exu@feditown.com to c/technology@lemmy.world
62 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Glitchvid@lemmy.world 5 points 1 week ago (1 children)

Ironically the shortening of cert lengths has pushed me to automated systems and away from the traditional paid trust providers.
I used to roll a 1-year cert for my CDN, and manually buy renewals and go through the process of signing and uploading the new ones, it wasn't particularly onerous, but then they moved to I think either 3 or 6 months max signing, which was the point where I just automated it with Let's Encrypt.

I'm in general not a fan of how we do root of trust on the web, I much prefer had DANE caught on, where I can pin a cert at the DNS level that is secured with DNSSEC and is trusted through IANA and the root zone.

[–] king_tronzington@lemm.ee 4 points 1 week ago (2 children)

I've proposed using Let's Encrypt but my coworkers believe there would be a perception issue with us using a "free" TLS certificate provider. I work for a popular internet search engine so it's a reasonable worry.

It just seems like LE has the most efficient automatic renewal setup, though I haven't looked in detail at other providers.

[–] patatahooligan@lemmy.world 11 points 1 week ago (2 children)

That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let's encrypt is bad because it's free?

[–] Glitchvid@lemmy.world 5 points 1 week ago

There can be theoretical audit or blame issues , since you're not "paying" then how does the company pass the buck (SLA contracts) if something fucks up with LE.

[–] corsicanguppy@lemmy.ca 3 points 1 week ago

LetsEncrypt also built ACME, so they're the primary port for testing RFC8555. They're just gonna work better at it.

But, as above, maybe Digi is still the way for you, with the right tooling glued in.

Good luck!