Feature #16607
open
Auto-renewal for certificates
100%
Description
CA/Browser forum baseline requirements are calling for shorter server certificate validity periods to be phased in over the next few years, with 200 days starting in March 2026, 100 days between 2027 and 2029, then 47 days after that.
With server certificate lifetimes that short, having to manually renew them becomes more and more impractical. That said, auto-renew is not a good practice for every certificate, so we may have to make it opt-in.
Some cases such as mobile IPsec or OpenVPN server certificates would have no issues being renewed so long as the CA is unchanged.
One of the primary concerns is the self-signed GUI certificate. While auto-renewal would be fairly simple, being suddenly presented with a new certificate may be confusing (and makes the user more prone to clicking through the warning without scrutinizing it).
Other cases such as end-user certificates are not subject to these limits, and since the new certificates would have to be given to the users, automatically renewing them may be ideal.
At the moment it seems like we should do the following:
- Option on each certificate to auto-renew
- Do not offer the option on CAs as renewing them has significant implications (e.g. having to redeploy the CA cert to VPN clients)
- Auto-renewal should be opt-in (for now)
- The GUI should recommend auto-renewal for server certificates, but allow it for any certificate
- Auto-renewal threshold should be at 2/3 lifetime (1/3 remaining) or perhaps based on a user-entered amount of days
- Fire a notification on renewal (GUI, e-mail, etc.)
- If practical, when nearing the renewal window for a self-signed GUI certificate, it would be nice to give the user advance notice that the certificate will renew before it happens so the user knows to expect a browser warning when it happens. Maybe 1-2 days before renewal.
This can be moved ahead as needed since it isn't as much of a concern until 2027, but may be nice to have sooner if it is practical.
Updated by Jim Pingle 7 days ago
- Status changed from New to In Progress
- % Done changed from 0 to 90
Draft MR: https://gitlab.netgate.com/pfSense/pfSense/-/merge_requests/1262 (not yet fully implemented nor tested)
Updated by Denny Page 7 days ago
Question: Will the new lower lifetimes apply to self-signed certificates and/or private CA certificates?
The reason that I ask is that the prior 397 day limit only applied to certificates whose root was an authority built into the browser distribution. As far as I know, all browsers currently allow lifetimes well beyond a year for private CA based / self-signed certificates. I believe Safari has the shortest lifetime, which is 825 days. I'm not sure Chrome / Firefox actually have any limit for private CA certificates.
Just food for thought...
Updated by Jim Pingle 7 days ago
Denny Page wrote in #note-2:
Question: Will the new lower lifetimes apply to self-signed certificates and/or private CA certificates?
The reason that I ask is that the prior 397 day limit only applied to certificates whose root was an authority built into the browser distribution. As far as I know, all browsers currently allow lifetimes well beyond a year for private CA based / self-signed certificates. I believe Safari has the shortest lifetime, which is 825 days. I'm not sure Chrome / Firefox actually have any limit for private CA certificates.
That hasn't been my experience, even self-signed certs and custom TLS server certs have been rejected for being over the limit but it varies by platform. IIRC macOS/iOS were the most strict, and Chrome after that, but it's been so long I don't remember exactly which did it first. It also affected OpenVPN at one point.
It is limited to TLS server certificates, though, so CAs themselves, user certs, and certs for other things that aren't TLS servers wouldn't have the same limits.
Updated by Jim Pingle 2 days ago
- Status changed from In Progress to Feedback
- % Done changed from 90 to 100
MR is merged, should be in snapshots soon.
Final summary:
- GUI option for certificates to auto-renew, only available for certificates using internal CAs and self-signed certificates.
- Auto-renew always uses strict security options to ensure smooth transitions to higher security standards (e.g. lower cert lifetimes, stronger minimum size for keys)
- Indicates auto-renew status in certificate list by the name
- Behavior is opt-in except for new self-signed certificates which have the option forced on
- On upgrade it activates auto-renew for the GUI cert if it is capable of being renewed locally
- Detects weak or expired GUI certs on upgrade and handle them as needed to ensure the GUI will start
- Generates a notification for automatic renewals, so the user will see in the GUI/via e-mail/etc. that a certificate was renewed.