pfSense

CA/Browser forum baseline requirements are calling for shorter server certificate validity periods to be phased in over the next few years, with 200 days starting in March 2026, 100 days between 2027 and 2029, then 47 days after that.

With server certificate lifetimes that short, having to manually renew them becomes more and more impractical. That said, auto-renew is not a good practice for every certificate, so we may have to make it opt-in.

Some cases such as mobile IPsec or OpenVPN server certificates would have no issues being renewed so long as the CA is unchanged.

One of the primary concerns is the self-signed GUI certificate. While auto-renewal would be fairly simple, being suddenly presented with a new certificate may be confusing (and makes the user more prone to clicking through the warning without scrutinizing it).

Other cases such as end-user certificates are not subject to these limits, and since the new certificates would have to be given to the users, automatically renewing them may be ideal.

At the moment it seems like we should do the following:

• Option on each certificate to auto-renew
• Do not offer the option on CAs as renewing them has significant implications (e.g. having to redeploy the CA cert to VPN clients)
• Auto-renewal should be opt-in (for now)
• The GUI should recommend auto-renewal for server certificates, but allow it for any certificate
• Auto-renewal threshold should be at 2/3 lifetime (1/3 remaining) or perhaps based on a user-entered amount of days
• Fire a notification on renewal (GUI, e-mail, etc.)

• If practical, when nearing the renewal window for a self-signed GUI certificate, it would be nice to give the user advance notice that the certificate will renew before it happens so the user knows to expect a browser warning when it happens. Maybe 1-2 days before renewal.

This can be moved ahead as needed since it isn't as much of a concern until 2027, but may be nice to have sooner if it is practical.