Project

General

Profile

Actions
Copy link

Todo #16603

open

Base ACME certificate renewal time logic on certificate lifetime

Added by Jim Pingle about 15 hours ago. Updated about 14 hours ago.

Status:
New
Priority:
Normal
Assignee:
Jim Pingle
Category:
ACME
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:

Description

The ACME certificate renewal logic currently checks to see if a certificate needs renewal based on either a user-supplied number of days for the certificate or a default value of 60 days.

Let's Encrypt is lowering the certificate lifetime from 90 to 45 days and phasing that change in over the next two years to align with CA/Browser forum baseline requirements and they already offer profiles with lifetimes as short as 6 days. Other CAs may have similar offerings, and custom CAs such as StepCA can have any validity period the administrator configures.

The default should be changed instead to be 2/3 the lifetime of the certificate rather than a hardcoded value or forcing the user to configure a time manually.

Input validation should also ensure the user-supplied "certificate renewal after" value is not longer than the certificate lifetime and maybe warn the user if it's more than 2/3 the lifetime.

Actions
Copy link
 #1

Updated by Jim Pingle about 14 hours ago

  • Description updated (diff)
Actions
Copy link

Also available in: Atom PDF