Let's Encrypt: 6-Day and IP Certificates Now Generally Available
Tests and announcements have been made, and now the Let's Encrypt project is making 6-day and IP certificates available to everyone.
Let’s Encrypt has announced the general availability of 6-day and IP certificates. Tests have been running for up to a year – now everyone can benefit from improved security options.
On the Let’s Encrypt website, the project announces that interested parties can now use the short-lived certificates, which are valid for 160 hours, just over six days. To do this, they simply need to select the “shortlived” certificate profile in their ACME client. “Short-lived certificates increase security by requiring more frequent validation and not relying on unreliable revocation mechanisms,” writes project participant Matthew McPherrin.
He further explains: “If a certificate’s private key is exposed or compromised, revocation was previously the method of choice to limit damage before the certificate expired. Unfortunately, certificate revocation is an unreliable system, meaning many remain vulnerable until the certificate expires, which can be up to 90 days. With short-lived certificates, the vulnerable period is greatly reduced.”
Let’s Encrypt: Free Choice
The project participants want to offer short-lived certificates optionally. “We currently have no plans to make them the default,” McPherrin states. Those Let’s Encrypt users who have fully automated their renewal process should be able to switch to short-lived certificates easily. The project hopes that over time everyone will switch to automated solutions, demonstrating that short-term certificates work well. However, the default validity period will be reduced from 90 days to 45 days in the coming years, as the project had already announced in December.
Videos by heise
Short-lived 6-day certificates also form the basis for the IP certificates, which are now also generally available. Server administrators can use these to authenticate TLS connections to IP addresses. Let’s Encrypt supports both IPv4 and IPv6 for this.
The announcement for internal testing of certificates with a shortened validity period of six days came about a year ago. Mid-year, the first IP certificate issued by Let’s Encrypt followed.
(dmk)
