SSL Certificate lifespans will be getting shorter

Tim_Parnell · June 30, 2025, 5:04pm

I received an email blast from my certificate provider that SSL certificate lifespans will be getting shorter over the next few years. It probably won’t affect developers using Let’s Encrypt for certificates, but it’s a bit of knowledge worth having in the back of your mind. It does affect those of us self-signing certificates locally.

This is the link to the proposal (full & complete details + who’s to blame)
This is the article from the certificate provider I use (easier to read)

Here’s the overview of important dates:

March 15, 2026 - Maximum validity 200 days
March 15, 2027 - Maximum validity 100 days
March 15, 2029 - Maximum validity 47 days

When the lifespan window shortens any certificate issued for longer than that period will be considered invalid by web browsers.

Wayne_Golding · June 30, 2025, 6:03pm

Thanks for the heads up.

Tim_Seyfarth · June 30, 2025, 8:14pm

Thanks Tim!

Tim

Thom_McGrath · July 1, 2025, 7:13am

At this point, can anybody think of a reason to pay for SSL certificates? With Let’s Encrypt, the advantage was free, but you had to automate your renewals. So you could just buy a longer certificate and avoid that, renewing roughly every 3 years. Pay for the convenience of not having to automate. This change puts Let’s Encrypt on equal footing with the paid providers… so why ever pay?

There are differences of course. Let’s Encrypt will not do wildcard, reuse a private key, or issue an EV certificate. But… does any of that matter? Wildcard is unnecessary as you can just add subdomains to your LE process. Private key doesn’t really matter because pinning is no longer recommended. And EV? Did that ever really matter?

Tim_Parnell · July 1, 2025, 4:27pm

Let’s Encrypt does actually issue wildcards now. It requires DNS automation though which circles us back to when automation wasn’t super easy. Needing a wildcard isn’t so common because Let’s Encrypt’s rate limit is 50 subdomains per 7 day period. But hey, it’s available if you like to tinker with automation

They also recently announced that with their 6-day certs, they plan to begin issuing certificates to IP addresses. I look forward to this because a common desire for Xojo Web users is to test out deployment without a domain name. I assume that’s partly why Xojo offers xojocloud.net, but I don’t find myself in a position to make a similar offering with Lifeboat.

In the past I used a purchased SSL certificate with my DRM service offering because the CA was accepted on more machines by default than Let’s Encrypt (mostly older ones). But with how long LE has been around now, if your machine doesn’t trust LE, it really is too old to be connecting to the internet. The last time I had to walk an end-user through installing the LE root their machine was macOS 10.12…

Looking at the CA/Browser Forum ballot for the change, major certificate providers did sign on, so they must have some kind of plan to retain their business.

Overall though, I love Let’s Encrypt.

brian_franco · July 1, 2025, 4:29pm

I’m looking forward to LE 6 day IP certs also