The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.
Ironically the shortening of cert lengths has pushed me to automated systems and away from the traditional paid trust providers.
I used to roll a 1-year cert for my CDN, and manually buy renewals and go through the process of signing and uploading the new ones, it wasn’t particularly onerous, but then they moved to I think either 3 or 6 months max signing, which was the point where I just automated it with Let’s Encrypt.
I’m in general not a fan of how we do root of trust on the web, I much prefer had DANE caught on, where I can pin a cert at the DNS level that is secured with DNSSEC and is trusted through IANA and the root zone.
I’ve proposed using Let’s Encrypt but my coworkers believe there would be a perception issue with us using a “free” TLS certificate provider. I work for a popular internet search engine so it’s a reasonable worry.
It just seems like LE has the most efficient automatic renewal setup, though I haven’t looked in detail at other providers.
That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let’s encrypt is bad because it’s free?
There can be theoretical audit or blame issues , since you’re not “paying” then how does the company pass the buck (SLA contracts) if something fucks up with LE.
Ironically the shortening of cert lengths has pushed me to automated systems and away from the traditional paid trust providers.
I used to roll a 1-year cert for my CDN, and manually buy renewals and go through the process of signing and uploading the new ones, it wasn’t particularly onerous, but then they moved to I think either 3 or 6 months max signing, which was the point where I just automated it with Let’s Encrypt.
I’m in general not a fan of how we do root of trust on the web, I much prefer had DANE caught on, where I can pin a cert at the DNS level that is secured with DNSSEC and is trusted through IANA and the root zone.
I’ve proposed using Let’s Encrypt but my coworkers believe there would be a perception issue with us using a “free” TLS certificate provider. I work for a popular internet search engine so it’s a reasonable worry.
It just seems like LE has the most efficient automatic renewal setup, though I haven’t looked in detail at other providers.
That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let’s encrypt is bad because it’s free?
Managers.
There can be theoretical audit or blame issues , since you’re not “paying” then how does the company pass the buck (SLA contracts) if something fucks up with LE.
LetsEncrypt also built ACME, so they’re the primary port for testing RFC8555. They’re just gonna work better at it.
But, as above, maybe Digi is still the way for you, with the right tooling glued in.
Good luck!