Hacker News new | past | comments | ask | show | jobs | submit login

Really long expiration certs are a security issue. The main reason being that if the cert is compromised, there is a much longer window that it can be exploited. With a 90 day window, even if it is compromised, it will stop working soon.

Even in the case that it is compromised and you know it, your only option is certificate revocation. And you are in big trouble if you are relying on revocation because most clients do not keep very up to date with the CRL.

Not only for security, but the 90 days is to encourage automation. And most clients like certbot will check everyday, and if the cert is within 30 days of renewal, it attempts to renew. If letsencrypt is down, it will try again the next day. So you have an entire month before an outage would affect you.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: