Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028. This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.

Let’s Encrypt will be reducing the validity period of the certificates we issue. We currently issue certificates valid for 90 days, which will be cut in half to 45 days by 2028.
This change is being made along with the rest of the industry, as required by the CA/Browser Forum Baseline Requirements, which set the technical requirements that we must follow. All publicly-trusted Certificate Authorities like Let’s Encrypt will be making similar changes. Reducing how long certificates are valid for helps improve the security of the internet, by limiting the scope of compromise, and making certificate revocation technologies more efficient.

  • Valmond@lemmy.worldEnglish
    0·
    3 months ago

    And you still can’t self certify.

    It’s cute the big players are so concerned with my little security of my little home server.

    Or is there a bigger plan behind all this? Like pay more often, lock in to government controlled certs (already done I guess because they control DNS and you must have a “real” website name to get a free cert)?

    I feel it’s 50% security 50% bullshit.

    Edit: thank you all I will dive down the CA certification rabbit hole now! Have worked in C++ & X509 on the client side so maybe I’ll be able to figure it out.

      • Valmond@lemmy.worldEnglish
        0·
        3 months ago

        But you have to manually accept this dangerous cert in the browser right?

        Very interesting actually, do you have any experience about it or other pointers? I might just set one up myself for my tenfingers sharing protocol

          • Valmond@lemmy.worldEnglish
            2·
            3 months ago

            Thank you!

            Is there some simple soft that let you make those certs, like with a root cert and then “derived” certs? On linux :-) ?

            I guess people have to re-trust every now and then because certs get old, or do they trust the (public partof the) root cert and the daughter certs derived from root are churned out regularly for the sites?

              • Valmond@lemmy.worldEnglish
                1·
                3 months ago

                I was forced to learn some of it at work (using and signing medical payment transactions, with x509 certificates) so I have ar least a starting point. I have no idea how the revoke process works though, I can’t figure out a way that it functions without a central authority getting queried regularly. I thonk I can start without that knowledge though.

                Anyway, with your information I’m up and running, thank you again!

                “Derived certificates” not child certs, noted !

      • CosmicTurtle0 [he/him]@lemmy.dbzer0.comEnglish
        0·
        3 months ago

        Yes you can but the practicality of doing so is very limiting. Hell I ran my own CA for my own internal use and even I found it annoying.

        The entire CA ecosystem is terrible and only exists to ensure connections are encrypted at this point. There’s no validation or any sort of authority to say one site is better than another.