SSL certificate renewal
Posted by mailliwal@reddit | sysadmin | View on Reddit | 89 comments
Hi Everyone,
The industry is enforcing a phased rollout toward much shorter lifespans:
- 2026: Maximum lifespan is 200 days.
- March 15, 2027: Maximum lifespan drops to 100 days.
- March 15, 2029: Maximum lifespan drops to 47 days.
For my working environment, there are IIS, application servers, VPN rely on SSL certificate.
Previously I just needed to update once a year.
Any automation can I use after this enforcement ? Or I will need to update every 47 days ?
Thanks
Xibby@reddit
Let’s Encrypt and ACME. Having your public DNS hosted by a provider that has a supported API will help.
Manager pinged me about a DigiCert that expired today.
Me: “I told you I took care of it with a Let’s Encrypt cert.
Manager: “Oh that’s right, sorry I forgot.”
Me: “The important part is you remember that it got taken care of without using the company credit card or cutting a PO.”
CekoDeko@reddit
Some proxy servers, such as Traefik and Caddy, will automatically use ACME to renew certificates for domains it knows about.
Mitchell_90@reddit
We have our own internal PKI setup via ADCS so all internal sites and apps use certificates from that. For everything externally facing we use Let’s Encrypt.
FIDST@reddit
Any hot tips or steps you can share for internal?
RusticDischarge@reddit
Shouldve automated years ago. Certbot, le, acme
poro_8015@reddit
for IIS look into win-acme (ACME client for Windows), handles auto-renewal natively. for the linux side certbot + cron is the standard. VPN appliances are the tricky part honestly, depends on what you're running
purplemonkeymad@reddit
FYI win-acme was renamed simple-acme.
BreathDeeply101@reddit
More correct to say it was forked. Both exist, but only Simple-ACME is being updated.
andrea_ci@reddit
Certify The Web is even better than Win-Acme in my opinion
discosoc@reddit
Why would you pay money though? Just use a free tool.
andrea_ci@reddit
because it has better management and it takes less time to do things and debug requests.
discosoc@reddit
Sounds more like a gui tax for people who can’t figure out scripting.
andrea_ci@reddit
Ahhaha
To be fair, I use winacme for nginx and apache, but certify the web for iis 🤣
discosoc@reddit
Just seems crazy to spend money on a per-server product that doesn't scale out very well if you can handle basic scripting yourself.
Hell, not even a complex "script" is needed. Just a one-line command and with win-acme's iis flags will do it.
databeestjegdh@reddit
Fortinet has native ACME support, PA is crickets or something cloud based.
Arudinne@reddit
I'm using PowerShell and the SCM API for our PA's
dsmiles@reddit
On their firewalls they do. No support for their appliances like FortiAnalyzer or FortiManager yet though.
walkalongtheriver@reddit
I'd recommend other things than certbot on linux. There's a ton and in general you either have to use snap (ugh) or make a python venv for certbot.
Lego and acme.sh and others work just fine with less hassle IMO.
https://letsencrypt.org/docs/client-options/
Ziegelphilie@reddit
I moved to simple-acme last year. Same original developer, who forked his own project after the company "adopting" win-acme didn't put any resources into it
HelixClipper@reddit
SimpleACME is where it's at. PoshACME is better (and utterly amazing) if you want to build a custom PS flow, I have just recently built out a script using posh to obtain/renew cert, copy it to our centralized cert store for IIS, copy to an Azure storage blob for ngix containers, then to Azure keyvault for Azure app gateway all in one relatively compact script
frosty3140@reddit
I have experimented with two tools -- the free SimpleACME, which is okay if you're completely comfortable with a command-line style app/setup and it will auto handle Let's Encrypt subscription/renewals -- for certs for our AlwaysOn VPN server, I am just in the process of setting it up to use the tools from CertKit, which allows automation of the RRAS cert changeover and service restart process, a definite benefit, plus their solution is entirely website-based for configuration
reubendevries@reddit
It all depends on where your getting your certificates from, but yes, terraform or ansible would be pretty good for this kind of thing.
I know SOMEONE is going to say, but terraform is used for deploying cloud infrastructure, and while they're not wrong (it can be used for that) - they're over simplifying what terraform does. Terraform is an application that uses (for the most part) open source providers, those providers interact with an API, so if whomever issues you a certificate has an API and someone has built a provider for it then terraform can use it.
Essentially when your using terraform to build out AWS infrasturcture, it's just terraform interacting with the AWS API, when your using terraform to build out GCP infrastructure it's just terraform interacting with the GCP API, when your using terraform to create Let's Encrypt certificates it's just terraform interacting with the Let's Encrypt API.
Significant_Sky_4443@reddit
!RemindMe 3 days
Academic-Proof3700@reddit
Soo... you let your folks connect directly to the IIS where you terminate ssl? Or app servers?
Well I've seen worse, but its not great.
coolbeaNs92@reddit
You need to define if you're talking about private or public certificates. This change applies to public certificates, not private.
If you have a private CA, this doesn't apply.
Unnamed-3891@reddit
Whatever automation you chose to deploy.
certkit@reddit
Totally agree, certificate distribution is the hard part.
stroskilax@reddit
Vendors should adopt simpler ways to install/renew certificates without having to restart services. Software relying on certificates should be able to use the existing certificate while the new one is being instled. Use the old cert for existing connection until they are finished and use the new one for the new connections.
Ok_Tap7102@reddit
Fully agree, what I love about nginx's hot reload
Just a reminder though, if your org can't handle 60 seconds of outage (many can and do with planned weekly maintenance periods!) then you definitely should already be looking at HA/failover pairs which may or may not also themselves allow the SSL termination, ie like nginx or HAProxy in front of your IIS server(s)
stroskilax@reddit
My usecase is VoIP and it is really difficult to find some time without no calls.
So yeah...
Ok_Tap7102@reddit
Well, have I got a recommendation for you...
Stewge@reddit
Since you mention HAProxy, you can also throw commands at the Socket file/API to get it to dynamically load new certificates without issuing a reload or restart.
_mick_s@reddit
By default reload is seamless anyway so nothing else is really needed.
z0d1aq@reddit
Not happening, encryption happens before application layer..
Cley_Faye@reddit
No. TLS is handled by your server software (apache, nginx, haproxy, whatever). It's these software that should be able to just "pick up" a new certificate on the fly.
Not that the current behavior isn't good enough; restarting does not mean killing every connection these days.
Cley_Faye@reddit
You just described how most reload works. Previous process keep handling active connections until new processes are ready to work. It's already there.
certkit@reddit
Hey u/mailliwal -- this is really scary for a lot of folks discovering it for the first time when their old 398 day certificates expire. Your timeline is exactly right, we're already in the era of 200 day certs, which means 2 renewals a year.
Automation can't be a question, you have to do this. Manual just won't work at 47 days. The question is how?
A lot of folks have suggested Let's Encrypt and an ACME client, like Certify The Web or Certbot, and this is a great answer. You need to put agents on all your IIS servers and either give them DNS credentials or open port 80 to the internet to let them validate.
That doesn't work for everyone, especially if you don't want publicly-accessible ports, or if you can't run an ACME client on the host (like appliances or locked down environments). For this sort of problems, you'll discover that certificate distribution is the last mile that's hard to solve.
If you don't have time to build a distribution system yourself (because its a pain in the ass to get right with zero failures), you should check out CertKit, which handles the whole process as a service.
Fit_Reveal_6304@reddit
I would recommend letsencrypt. It is free and has an api for renewals
ThankYouOle@reddit
i have one project that the user is internal office staff and some of them use quite old android devices and LE not work for them https://community.home-assistant.io/t/lets-encrypts-ca-is-no-longer-considered-valid-on-android-versions-older-than-7-1-1/717907#p-2895112-whats-happening-now-3
but ya it's user's fault too, not everyone afford to update their smartphone, but then again it is 2 years ago, maybe now they upgrade it, i should ask so no need to check SSL every 6 months.
swimmer385@reddit
if they're using the phone for work, you should buy them a phone tbh
ThankYouOle@reddit
hmm yeah, that make sense and proper.. but like most of low level outsourcing job here, they all with their own device.
AnnoyedVelociraptor@reddit
Aren't those android versions out of support? If so, they should be banned anyway.
ThankYouOle@reddit
not everyone can afford to buy new phone
i am programmer, i am not manager or office owner to have decision to upgrade device or give rule for them.
and why the hell i got downvoted for sharing my situation, it's not like i complain or mad or asking for help or anything, i just share my situation.
gamer0890@reddit
Android 7.1.1 was released on December 5th, 2016. Even the cheapest of cheap Android devices, which can be had for basically nothing, are generally running at least Android 14. The cheapest Android phones I could find with a quick search are the HMD Vibe and BLU View 5. Both are $20 USD, both are running Android 14.
AnnoyedVelociraptor@reddit
Just making sure we have the full context. I get you.
In an ideal world, employers pay for phone. The reason I asked, is to get full context. And I didn't downvote you. You provided facts, no reason to downvote.
Now, back to the issue:
If I recall correctly, they miss the root certificate from LetsEncrypt, and the one that cross-signed the certs is expired.
Have you looked at ZeroSSL? Their chain is different, and they support the same tooling. If those roots are on those devices it might give you some time.
Fit_Reveal_6304@reddit
Agreed.
Fit_Reveal_6304@reddit
7.1.1 went out off support in 2019. At this point its a security risk for them to not update their device.
Lowdog541@reddit
depends on environment, I'm doing this in Azure currently for all of our platforms/services using a mix of Key Vault emitting newSecretVersion event grid events, and function apps, app gateways simplify the process because of native integration with AKV, but VMs and Containers Instances need a bit of automation
Fit_Prize_3245@reddit
You will eventually need to update certificate every 47 dys. On Linux, this is easy with certbot. On Windows, try with Certify the Web, which integrates with IIS.
VPN services are not affected by this, bc they work with a private PKI, which is not subject to the CA/Browser Forum rules.
chickibumbum_byomde@reddit
you definitely dont want to manage 47 day certificate renewals manually. i would deffo move to automation because shorter certificate lifetimes make manual processes impractical. most automate certificate issuance, renewal, and deployment using ACME based ools, cloud managed certificates, or specifric platform clients like win acme for IIS. i'd say the only challenge is automating deployment across all systems like IIS, VPNs, load balancers, and application servers, since some platforms support automation more easily than others.
over time, automated certificate management will become standard because manual renewals simply won’t scale anymore, i would additionaly combine that with some proper certificate monitoring, when, how, and what, i've included mine using checkmk, for all types of certificates on all devices i monitor, saved me a few times from some unpleasant security issues.
smartguy_x@reddit
Totally agree ! Automation handles renewal, but visibility across all those different platforms is its own challenge. checkmk is solid for infrastructure monitoring. If anyone wants something more focused purely on expiry tracking across certificates, tokens, and secrets in one place, we built Tokentimer exactly for that use case. It's designed to give you a clear view of what's expiring when, across environments, without needing a full monitoring stack. Might complement what you already have.
TehH4rRy@reddit
Anyone rocking Omnissa Horizon? UAGs, Load balancers and connection servers? This 47 day will be a killer for us.
lowlybananas@reddit
I setup certify the web a few months ago. It's been working great.
NoSellDataPlz@reddit
Don’t forget your cloud services that might not have automation available.
Ones I’ve run into while working with vendors and potential vendors:
Some cloud services or products do not have automated cert replacement. Yes, even large, enterprise grade vendors with Fortune 500 customers do not have automation available.
Some VOIP phone systems do not have cert replacement automation. Yes, even large, enterprise grade vendors with Fortune 500 customers do not have automation available.
Some specialized self-hosted or on-prem applications (still publicly accessible) do not have cert replacement automation. Yes, niche applications with very few competitors in the market may not have cert automation available.
So, before everyone blows you off with “pfft. Reverse proxy” or “pfft. You’re years too late for this” or “pfft. It’s easy, google it”, be aware that there are still A LOT of systems and services that do not and potentially cannot be automated. It’s up to you to determine your appetite for 30-day cert replacements.
SudoZenWizz@reddit
this certificate thing is impossible with renewal every 47 days. with hundreds of certs, manual management is impossible and automation is single way to move further.
Without automations and monitoring of certs will be impossible to keep track when there are many ssl.
Another issue is that sometimes auto renewal doesn’t work and you need to know before expiration. Monitoring ssl certs goes critical here and needs to be reliable. For these we use checkmk for all let’s encrypt certs, godaddy, comodo, etc certs we have for customers and we avoid getting called or tickets for expired certa
ledow@reddit
I moved all our web-based stuff to LetsEncrypt 4 years ago (after doing it 8 years ago at my previous workplace).
It's a no-brainer. Apache or IIS, you just set up the ACME client and let it go do whatever it wants.
I have a bunch of external dedicated servers handling my personal domains (via reverse proxy over a VPN) and that handles renewal of those and then just reverse proxies them back to my network (so I don't have to care about dynamic IPs, kit at home being turned off, etc.).
Our IIS setup does something similar for internal use (it functions as the reverse proxy for all local sites, and SSLs, authenticates and proxies anything that comes in externally to internal sites on a private VLAN that don't then have to care about SSL, authentication etc.).
VPN will be more of a problem for you, but I don't see it as a major issue.
The big problem for us is going to be RADIUS certificates, but even there people. have got them working via LetsEncrypt, etc. it just needs a bit of script glue to make it all work.
I'd get started if I were you, rather than hesitating. You could probably do all your IIS sites in an afternoon, but I wouldn't leave it until their next renewal if I were you.
FortuneIIIPick@reddit
That's what I do, all Letsencrypt certs in Apache which front-ends my websites and reverse proxies to those instances running in kubernetes. And a cron job that checks and updates daily.
User8012356@reddit
I hate certs. Such a waste of time and money. Bc changing them once a year isn’t annoying enough
LordCornish@reddit
One piece of the puzzle for you: CertifyTheWeb automates the LetsEncrypt certificate lifestyle in IIS.
midasweb@reddit
you'll need automation to handle renewals and deploy certs automatically across IIS/VPN manual renewals won't scale with shorter lifespans.
InterestingMedium500@reddit
ACME + VAULT + ANSIBLE
dakruhm@reddit
Again, this cert scenario does not apply to internal PKI. Sounds like you have or should have internal PKI.
kowalikc@reddit
Look into ACME with Certify or Win-ACME for Windows. Automates renewal and hooks into IIS.
Candid_Candle_905@reddit
Lol you should not be touching 47‑day renewals by hand 😄
This is their way of forcing you to automate, not to remap your calendar. For IIS, pick either Certify The Web or a proper cert. management platform; for VPN / internal stuff, lean into ACME style short‑lived certs and scripts
johnnydotexe@reddit
For our stuff in Azure, I'm using the acmebot function app with a key vault and the keyvault for windows extension on the IIS VMs. IIS is set to auto-update binding on cert renewal. Automated renewals, just doesn't auto remove the old expired certs from the store (and IIS). Works for more than just the VMs, too.
FalconDriver85@reddit
Do you have public facing IIS servers? If that’s not the case, private certificates emitted by enterprise CAs are not subject to the limit. We are routinely creating certificates with a duration of 730 days.
andr0m3da1337@reddit
The problem is the vendors (both CA and software appliances) don't have an easy way to perform this automation. I feel that this certificate validity decision is taken without these constraints.
What about the enterprises that don't want to have let's encrypt?
Who will contact 1000's of application owners and tell them about this change (who doesn't know about SSL at all) and guide them to implement?
It was all going good once per year. Why force? We must have two options:
I wish you all good luck!!!
Claidheamhmor@reddit
This is going to be fun. Lots of certs, and for each external one, we have to update IIS (not hard) and have our load balancer team update each VIP with the new cert (with all the accompanying change controls).
jimicus@reddit
The only sane answer is you change the process from a manual one to an automatic one.
Only need one change control then: the one that handles the process change.
Claidheamhmor@reddit
Agreed. Luckily we have a whole department and system for certs, and they'll help roll out a company strategy, I'm sure.
vReqRz@reddit
We renew the certificates for our customers every year, now every 6 months.. but with the new regulations you’ll need a fte to renew the certificates for each client.
Could we automate this by ourself instead of using let’s encrypt?
ThankYouOle@reddit
yes, and what annoy me is why i need to pay it annually? why not just pay for 6 months.
you pay for 1 year, but need to check it in 6 months, if you forgot about it then basically you only got 6 months for 1 year payment.
wyrdough@reddit
I don't know why you'd want to re-invent the wheel as far as domain verification and obtaining the certificates goes, but the popular open source tools allow you to run whatever deploy hooks are required for actually installing the certs and reloading services.
I have some servers that run certbot or acme.sh and do everything themselves using website or domain verification. I have other deployments using a low attack surface VM that handle getting the certs using domain verification and then deploys them to the hosts that actually use them using deploy hooks for the cases where running the ACME client directly on the server is infeasible or undesirable.
SoulPhoenix@reddit
We use Entrust w/ ACME for external facing. For our internal stuff (and our VPN for some reason) that needs SSL certs we use a permanent self signed cert which is...a choice lol
GremlinNZ@reddit
Government department giving us (currently) annual certificates is our biggest issue.
We have scripts to deploy them to machines, but no faith they're going to move proactively on that...
Familiar_Box7032@reddit
I used Certify The Web installed in the IIS to auto renew and bind free SSL certificates
The_Struggle_Man@reddit
This right here OP.
I switched our orgaization from a yearly wildcard renewal to host several sites, and other misc certs requirements to certify the web, and some powers hell automation for the non IIS stuff. It's been a life saver and I don't even have to think about certs anymore! Letsencrypt with my dns registrar and it handles everything. Def worth the cost.
ikdoeookmaarwat@reddit
The shortened lifespans are not a new thing. It's been know for years now. You're late to the party, but still have time to set up automated cert renewal.
> Any automation can I use
Many.
databeestjegdh@reddit
I built a tool using gemini to support our PA and Kemp to automate the replacements. It automatically replaces the certs and updates the linked profiles and does the cleanup. We also use this tool to track EntraID secrets and certificate expiry in general for client-server authentication.
ymmv - https://github.com/smos/cert-drawer
General purpose ACME would work if you need to automate a single cert on a box. However, this thing does inbound SSL decryption, so they need to be using the same one on both devices for it to work.
Also made requesting and pushing certs easier in general. No public certs on the Windows endpoints, the load balancer is in front, and that has automation. At some point we'll need to find a method to replace the on-prem SMTP certificate. That'll be fun.
applevinegar@reddit
This is awesome, we're on the same boat with Kemp+PA decryption, you already did everything I've been thinking of doing!
and we have Domino for on prem SMTP so yeah that'll be fun too.
databeestjegdh@reddit
I would recommend usning the external poller script so you can limit the attack surface of this app. You can place that PHP script on another host internal or external so that general dns/certificate health checks which require more outbound access can take place on a different host.
It is built in such a way so it should not be able to be used as a generic proxy. But can then still test internal hosts. It also tests with a external resolver for when you have split-horizon DNS.
I need to update the README i guess
InvisibleTextArea@reddit
We have an internal CA that has expiries we specify. So any interal certs are not subject to this.
Our external sites are hosted behind a load balancer with our wildcard cert. It runs certbot/acme to renew this as per deadlines.
Sree_SecureSlate@reddit
Manually updating certs every 47 days is a recipe for a massive, accidental outage; automation is a compliance survival requirement at this point.
Instead of fighting the shorter lifespans, teams are leveraging compliance automation platforms paired with ACME tools (like Certify the Web for Windows/IIS) to automatically renew, deploy, and log certificates.
This completely removes the human error element and automatically generates the continuous evidence trail your auditors will want to see.
NUTTA_BUSTAH@reddit
You'd generally setup a central frontend that terminates TLS to the short-lived public cert, then you would either continue with HTTP or re-encrypt and use HTTPS with internal certificates that have the lifetime you choose. You'd rotate the single cert on the TLS proxy according to new requirements and rotate your internal environment whenever you see fit.
2_dog_father@reddit
There is definitely expensive automation software by all the large CA's.
fdeyso@reddit
ACME
reader4567890@reddit
We're just starting to look at this - have certs across thousands of servers and applications.
I don't see this being a smooth ride for an org this size, and I'm surprised we've left it this late.
Smh_nz@reddit
Have a look at LetsEncrypt or CertifyTheWeb then research how to automate them! (Dont forget to do it on your test infrastructure first!)
Bjens@reddit
You need to, or at least in some cases some will need to, update and verify their domain ownership even sooner as it has to be done before the actual cert renewal. So just fyi, that one gets lowered too.
Like 30days I think, and then 47days for renewal as you say.
Google ACME protocol.