Hacker News new | past | comments | ask | show | jobs | submit login

Short term certs are only an issue if you have inadequate tooling.

Or if you want to use certificate pinning in an app. You'd have to force-upgrade everyone every two to three months. Old versions would just stop working.

Just keep using the same key for renewals, or pin to something other than the end-entity certificate (like Let's Encrypt's intermediate certificate, or IdenTrust's root, plus some backup pins).

Sure. And the tooling only exists pre-made for modern operating systems. If you run anything even a handful of years old there's no support and you have to do it by hand.

So write your own tool. There are loads you can fork.

Not buying this excuse.

True, but if it fails and you don't know it, that could be a major problem. Monitoring with alert escalation helps me sleep at night.

That's not a problem specific to lets encrypt, or anything else really.

If you don't want to introduce complexity, then your problem is that you don't have tooling in place when you run into a situation where you have to rotate certs.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact