Let's Encrypt: End of certificate expiry messages and 6-day certificates
Let's Encrypt is planning some changes: Certificates with a term of six days will be added. Certificate expiry messages will be dropped.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
The Let's Encrypt project wants to remove support for notifications about expiring certificates. This standard behavior will end on June 4 of this year. Until then, the project will send such emails if the renewal of a certificate has not been successful over a certain period of time. The project has now informed users of this by email.
In a corresponding message on the Let's Encrypt website, the authors write that more and more subscribers have used reliable automation for certificate renewal over the past ten years. To send the expiration notifications, Let's Encrypt must maintain millions of email addresses linked to the publisher records. Privacy is important to the project, so removing this requirement is important to the maintainers.
Important reason: costs
In third place, the project cites the cost of sending the messages. Tens of thousands of dollars are incurred annually, which the maintainers could rather invest in "other aspects of the infrastructure". In addition, the expiry notifications increase the complexity of the infrastructure, which ties up time and attention and increases the likelihood of errors. In the long run, the project needs to keep the complexity under control, especially when it releases new service components and throws out components that can no longer be justified.
For those who want to continue to receive notifications about expiring certificates, Let's Encrypt recommends third-party services such as Red Sift Certificates Lite, which monitors up to 250 certificates for free and sends expiry notifications if necessary. This can be useful and recommended if certificates that expire over longer periods of time are not noticeable.
Videos by heise
Certificates with a short term
Let's Encrypt also plans to offer certificates with a six-day validity period in the near future, with a planned launch in February. In a further announcement, the project explains that certificates with a shorter validity period increase security. If the private key for a certificate is compromised, the recommendation is to revoke the certificate (certificate revoke). However, this does not work very well. In practice, this means that certificates with compromised private keys or other problems can be used until they actually expire. The longer the validity period, the longer problematic certificates can be used.
Certificates with a short validity period therefore reduce the dangerous time window for compromise, as they expire quickly. This also reduces the need for certificate revocation, which has historically been unreliable. Therefore, the six-day certificates do not contain OCSP (Online Certificate Status Protocol) or CRL (Certificate Revocation List) URLs. On the plus side, there is also support for IP addresses: the six-day certificates can be issued for IP addresses.
(dmk)
