Todo #16603
Updated by Jim Pingle about 16 hours ago
The ACME certificate renewal logic currently checks to see if a certificate needs renewal based on either a user-supplied number of days for the certificate or a default value of 60 days. Let's Encrypt is "lowering the certificate lifetime from 90 to 45 days":https://letsencrypt.org/2025/12/02/from-90-to-45 and phasing that change in over the next two years to align with "CA/Browser forum baseline requirements":https://cabforum.org/working-groups/server/baseline-requirements/requirements/#632-certificate-operational-periods-and-key-pair-usage-periods requirements":https://cabforum.org/working-groups/server/baseline-requirements/requirements/#632-certificate-operational-periods-and-key-pair-usage-periodsand and they already offer profiles with lifetimes as short as 6 days. Other CAs may have similar offerings, and custom CAs such as StepCA can have any validity period the administrator configures. The default should be changed instead to be 2/3 the lifetime of the certificate rather than a hardcoded value or forcing the user to configure a time manually. Input validation should also ensure the user-supplied "certificate renewal after" value is not longer than the certificate lifetime and maybe warn the user if it's more than 2/3 the lifetime.