Project

General

Profile

Actions
Copy link

Todo #16603

closed

Base ACME certificate renewal time logic on certificate lifetime

Added by Jim Pingle about 2 months ago. Updated 12 days ago.

Status:
Closed
Priority:
Normal
Assignee:
Jim Pingle
Category:
ACME
Target version:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:

Description

The ACME certificate renewal logic currently checks to see if a certificate needs renewal based on either a user-supplied number of days for the certificate or a default value of 60 days.

Let's Encrypt is lowering the certificate lifetime from 90 to 45 days and phasing that change in over the next two years to align with CA/Browser forum baseline requirements and they already offer profiles with lifetimes as short as 6 days. Other CAs may have similar offerings, and custom CAs such as StepCA can have any validity period the administrator configures.

The default should be changed instead to be 2/3 the lifetime of the certificate rather than a hardcoded value or forcing the user to configure a time manually.

Input validation should also ensure the user-supplied "certificate renewal after" value is not longer than the certificate lifetime and maybe warn the user if it's more than 2/3 the lifetime.

Actions
Copy link
 #1

Updated by Jim Pingle about 2 months ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by Jim Pingle 19 days ago

  • Status changed from New to In Progress
Actions
Copy link
 #3

Updated by Jim Pingle 12 days ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

Implemented in ACME pkg v1.1 which is out now for pfSense Plus software version 25.11.1 and CE 2.8.1

Actions
Copy link

Also available in: Atom PDF