From: "Lewis G Rosenthal" Received: from [50.73.8.217] (account lgrosenthal@2rosenthals.com HELO [192.168.200.24]) by 2rosenthals.com (CommuniGate Pro SMTP 5.4.10) with ESMTPSA id 2480181 for ecs-isp@2rosenthals.com; Sat, 16 May 2026 17:33:11 -0400 Subject: Re: [eCS-ISP] SSL cert lifetime To: eCS ISP Mailing List References: Organization: Rosenthal & Rosenthal, LLC Message-ID: <6A08E296.7080902@2rosenthals.com> Date: Sat, 16 May 2026 17:33:10 -0400 User-Agent: Mozilla/5.0 (OS/2; Warp 4.5; rv:38.0) Gecko/20100101 Firefox/38.0 SeaMonkey/2.35 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 05/14/26 12:44 pm, Massimo S. wrote: > Il 14/05/2026 17:40, Lewis G Rosenthal ha scritto: >> Thought I'd share this bit of news from Starfield Tech regarding cert >> lifetimes. I am assuming this will pertain to all CAs over the next few >> years. >> >> 8<-------------------- snip -------------------->8 >> >> The entire SSL Industry is undergoing a requirement to shorten SSL/TLS >> validity duration from 398 days to 47 days. The first phase has started >> and validity is now 200 days. This will again change to 100 days by March >> 2027 and finally to 47 days by March 2029. >> >> What does this mean for you? Instead of re-installing your certificate 1x >> per year, that frequency will begin to increase. Starting later this year >> in approximately 180-200 days you'll need to repeat this action - and >> then again more frequently in 2027 through 2029. >> >> 8<-------------------- snip -------------------->8 >> >> Oh, joy. >> >> Further details are given in this "handy" article on their site: >> >> https://www.secureserver.net/help/why-are-ssl-certificate-validity-periods-changing-42816 >> >> >> The whole argument about shorter cert lives being more secure is a tough >> one for me, given the availability of OCSP stapling and other >> validation/revocation methods. Oh, well. > > Let's encrypt has removed stapling. > That's interesting; I wasn't aware. > Out from the technical stuff, > what i feel is that big companies with their lobbies are trying to manipulate > the market making stuff allways more difficult to manage than before to > kick out > free lancers and small/medium companies from the market. > > If something become too complex to manage a lof o small biz will exit the > market > and i feel this is what they want, surely in the elitist oligarchy > european parliament > with thousands of lobbies and think thank that try to manipulate > everything to their > needs and often european European parliamentarians are found with bags of > cash in the house. > Yes, but... Honestly, if you are going to run your own website, you had better know how to change an SSL cert. There's probably a CPanel widget for that (LOL). So, I don't see swapping out certs to be a major technical hurdle. I do see it as a major PITA, however, and I'm now down to just a handful to manage (as compared to the 30+ I used to manage). Still, it seems to me that there should be a better way to ensure security without having to "change the lock" every few days to make sure that any lost keys don't get misappropriated. -- Lewis ------------------------------------------------------------- Lewis G Rosenthal, CNA, CLP, CLE, CWTS, EA Rosenthal & Rosenthal, LLC www.2rosenthals.com visit my IT blog www.2rosenthals.net/wordpress -------------------------------------------------------------