Sign up to save your podcasts
Or
Share Certbot 4.0: Long Live Short-Lived Certs!
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Certbot 4.0: Long Live Short-Lived Certs!
When Let’s Encrypt, a free certificate authority, started issuing 90 day TLS certificates for websites, it was considered a bold move that helped push the ecosystem towards shorter certificate life times. Beforehand, certificate authorities normally issued certificate lifetimes lasting a year or more. With 4.0, Certbot is now supporting Let’s Encrypt’s new capability for six day certificates through ACME profiles and dynamic renewal at:
There’s a few, significant reasons why shorter lifetimes are better:
There is debate on how short these lifetimes should be, but with ACME profiles you can have the default or “classic” Let’s Encrypt experience (90 days) or start actively using other profile types through Certbot with the --preferred-profile and --required-profile flags. For six day certificates, you can choose the “shortlived” profile.
These new options are just the beginning of the modern features the ecosystem can support and we are glad to have dynamic renewal times to start leveraging a more agile web that facilitates better security and flexible options for everyone. Thank you to the community and the Certbot team for making this happen!
UPDATE (05/02/2025): To clear up any confusion, Certbot offers support for these profiles but Let's Encrypt plans to have this feature fully available by the end of this year.
Love ♥️ Certbot as much as us? Donate today to support this work.
View all episodes
By When Let’s Encrypt, a free certificate authority, started issuing 90 day TLS certificates for websites, it was considered a bold move that helped push the ecosystem towards shorter certificate life times. Beforehand, certificate authorities normally issued certificate lifetimes lasting a year or more. With 4.0, Certbot is now supporting Let’s Encrypt’s new capability for six day certificates through ACME profiles and dynamic renewal at:
There’s a few, significant reasons why shorter lifetimes are better:
There is debate on how short these lifetimes should be, but with ACME profiles you can have the default or “classic” Let’s Encrypt experience (90 days) or start actively using other profile types through Certbot with the --preferred-profile and --required-profile flags. For six day certificates, you can choose the “shortlived” profile.
These new options are just the beginning of the modern features the ecosystem can support and we are glad to have dynamic renewal times to start leveraging a more agile web that facilitates better security and flexible options for everyone. Thank you to the community and the Certbot team for making this happen!
UPDATE (05/02/2025): To clear up any confusion, Certbot offers support for these profiles but Let's Encrypt plans to have this feature fully available by the end of this year.
Love ♥️ Certbot as much as us? Donate today to support this work.