On public TLS certificates lifetime

 September 13, 2020

On September 1st, 2020, the maximum lifetime of TLS certificates signed by Public Certificate Authority got reduced to 13 months. How did we arrive here, and what’s to come? Let’s start from understanding who decides the maximum lifetime of certificates and many other limitations around them.

Who decides the TLS certificate guidelines

Ultimately, the client (often a browser or an operating system) identifies the certificate as trustable or not (based on the CA that signed it as well as many other parameters), so the client can decide which parameters to look for and which values are acceptable and which are not. This clients’ freedom makes the whole situation very messy since every client can decide their own set, and a subset of the options accepted by every client can be very small if not empty.

Let's Encrypt GA

 April 13, 2016

Yesterday, Let’s Encrypt moved from beta to GA. During the beta phase, which started last September, more than 1.7 million certificates were issued.

I think this is a crucial step for the project and overall for the Internet as well. Until now, the only way to obtain a valid TLS certificate was to pay a CA. This artificial constraint made no sense since the CAs were forcing users to buy an insurance policy that made no sense (and often, it was completely worthless).