From: "Lewis G Rosenthal" Received: from [50.73.8.217] (account lgrosenthal@2rosenthals.com HELO [192.168.200.24]) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPSA id 2480174 for ecs-isp@2rosenthals.com; Sat, 16 May 2026 17:28:26 -0400 Subject: Re: [eCS-ISP] SSL cert lifetime To: eCS ISP Mailing List References: Organization: Rosenthal & Rosenthal, LLC Message-ID: <6A08E179.70105@2rosenthals.com> Date: Sat, 16 May 2026 17:28:25 -0400 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 SeaMonkey/2.35 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/alternative; boundary="------------040509080401060702030604" This is a multi-part message in MIME format. --------------040509080401060702030604 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Much as I hate to admit it, other than the 17 days, the convenience of having a script do the cert updates from LE would be a tie-breaker - though I am still uneasy about LE (less so after this much time, I guess). This short lifespan is a killer for all commercial CAs, as that has been their main attraction since LE went sort of mainstream (10 years ago, they started with 90-day certs, and that was a PITA vs 2-year certs; now all lifespans have shortened, but 17 days is probably not worth the cost). On 05/15/26 09:47 am, Andy Willis wrote: > I saw the same from digicert. I raised the suggestion of changing to > letsencrypt. Only 30 days but free so why pay a high premium for 17 > additional days. > > On Thu, May 14, 2026, 10:40 Lewis G Rosenthal > wrote: > > Thought I'd share this bit of news from Starfield Tech regarding cert > lifetimes. I am assuming this will pertain to all CAs over the next > few years. > > 8<-------------------- snip -------------------->8 > > The entire SSL Industry is undergoing a requirement to shorten SSL/TLS > validity duration from 398 days to 47 days. The first phase has > started and > validity is now 200 days. This will again change to 100 days by March > 2027 > and finally to 47 days by March 2029. > > What does this mean for you? Instead of re-installing your certificate 1x > per year, that frequency will begin to increase. Starting later this > year in > approximately 180-200 days you'll need to repeat this action - and then > again more frequently in 2027 through 2029. > > 8<-------------------- snip -------------------->8 > > Oh, joy. > > Further details are given in this "handy" article on their site: > > https://www.secureserver.net/help/why-are-ssl-certificate-validity-periods-changing-42816 > > The whole argument about shorter cert lives being more secure is a > tough one > for me, given the availability of OCSP stapling and other > validation/revocation methods. Oh, well. > > -- > Lewis > ------------------------------------------------------------- > Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA > Rosenthal & Rosenthal, LLC www.2rosenthals.com > > visit my IT blog www.2rosenthals.net/wordpress > > ------------------------------------------------------------- > > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > This message is sent to you because you are subscribed to > the mailing list >. > To unsubscribe, E-mail to: > > To switch to the DIGEST mode, E-mail to > > > To switch to the INDEX mode, E-mail to > > Send administrative queries to > > To subscribe (new addresses), E-mail to: > and reply to the confirmation email. > Web archives are publicly available at: http://lists.2rosenthals.com > > This list is hosted by Rosenthal & Rosenthal, LLC > P.O. Box 281, Deer Park, NY 11729-0281. Non- > electronic communications related to content > contained in these messages should be directed > to the above address. (CAN-SPAM Act of 2003) > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > -- Lewis ------------------------------------------------------------- Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA Rosenthal & Rosenthal, LLC www.2rosenthals.com visit my IT blog www.2rosenthals.net/wordpress ------------------------------------------------------------- --------------040509080401060702030604 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit Much as I hate to admit it, other than the 17 days, the convenience of having a script do the cert updates from LE would be a tie-breaker - though I am still uneasy about LE (less so after this much time, I guess).

This short lifespan is a killer for all commercial CAs, as that has been their main attraction since LE went sort of mainstream (10 years ago, they started with 90-day certs, and that was a PITA vs 2-year certs; now all lifespans have shortened, but 17 days is probably not worth the cost).

On 05/15/26 09:47 am, Andy Willis wrote:
I saw the same from digicert.  I raised the suggestion of changing to letsencrypt.  Only 30 days but free so why pay a high premium for 17 additional days.

On Thu, May 14, 2026, 10:40 Lewis G Rosenthal <ecs-isp@2rosenthals.com> wrote:
Thought I'd share this bit of news from Starfield Tech regarding cert
lifetimes. I am assuming this will pertain to all CAs over the next few years.

8<-------------------- snip -------------------->8

The entire SSL Industry is undergoing a requirement to shorten SSL/TLS
validity duration from 398 days to 47 days. The first phase has started and
validity is now 200 days. This will again change to 100 days by March 2027
and finally to 47 days by March 2029.

What does this mean for you? Instead of re-installing your certificate 1x
per year, that frequency will begin to increase. Starting later this year in
approximately 180-200 days you'll need to repeat this action - and then
again more frequently in 2027 through 2029.

8<-------------------- snip -------------------->8

Oh, joy.

Further details are given in this "handy" article on their site:

https://www.secureserver.net/help/why-are-ssl-certificate-validity-periods-changing-42816

The whole argument about shorter cert lives being more secure is a tough one
for me, given the availability of OCSP stapling and other
validation/revocation methods. Oh, well.

--
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
visit my IT blog                www.2rosenthals.net/wordpress
-------------------------------------------------------------


=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This message is sent to you because you are subscribed to
  the mailing list <ecs-isp@2rosenthals.com>.
To unsubscribe, E-mail to: <ecs-isp-off@2rosenthals.com>
To switch to the DIGEST mode, E-mail to <ecs-isp-digest@2rosenthals.com>
To switch to the INDEX mode, E-mail to <ecs-isp-index@2rosenthals.com>
Send administrative queries to  <ecs-isp-request@2rosenthals.com>
To subscribe (new addresses), E-mail to: <ecs-isp-on@2rosenthals.com> and reply to the confirmation email.
Web archives are publicly available at: http://lists.2rosenthals.com

This list is hosted by Rosenthal & Rosenthal, LLC
P.O. Box 281, Deer Park, NY 11729-0281. Non-
electronic communications related to content
contained in these messages should be directed
to the above address. (CAN-SPAM Act of 2003)

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=


-- 
Lewis
-------------------------------------------------------------
Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA
Rosenthal & Rosenthal, LLC                www.2rosenthals.com
visit my IT blog                www.2rosenthals.net/wordpress
-------------------------------------------------------------
--------------040509080401060702030604--