Hacker News with Generative AI: Certificates

Vendors vote to slash website certificate duration (computerworld.com)
In a move that will likely force IT to much more aggressively use web certificate automation services, the Certification Authority Browser Forum (CA/Browser Forum), a gathering of certificate issuers and suppliers of applications that use certificates, voted Friday to radically slash the lifespan of the certificates that verify the ownership of sites.
Security, Web Development, Technology, Certificates
6 points by bradac56 20 days ago | 1 comments
New SSL/TLS certs to each live no longer than 47 days by 2029 (theregister.com)
CA/Browser Forum – a central body of web browser makers, security certificate issuers, and friends – has voted to cut the maximum lifespan of new SSL/TLS certs to just 47 days by March 15, 2029.
Security, SSL/TLS, Web Browsers, Certificates
3 points by mmoez 24 days ago | 0 comments
TLS certificate lifetimes will officially reduce to 47 days (digicert.com)
The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates and the reusability of CA-validated information in certificates. The first user impacts of the ballot take place in March 2026.
Security, Cybersecurity, TLS, Certificates, Web
512 points by crtasm 24 days ago | 675 comments
Certbot 4.0: Long Live Short-Lived Certs (eff.org)
When Let’s Encrypt, a free certificate authority, started issuing 90 day TLS certificates for websites, it was considered a bold move that helped push the ecosystem towards shorter certificate life times.
Security, Web Development, Certificates, Open Source
4 points by throw0101a 25 days ago | 0 comments
Mandatory short duration TLS certificates are probably coming soon (utoronto.ca)
The news of the time interval is that the maximum validity period for TLS certificates will be lowered to 47 days by March 2029, unless the CA/Browser Forum changes its mind (or is forced to) before then.
Security, TLS, Internet Security, Certificates, Technology
18 points by aragilar 25 days ago | 23 comments
Mozilla closes support thread 2 days before baked-in CA TLS certs expire (mozilla.org)
Important update! On March 14, 2025, a critical root certificate in Firefox will expire. If you’re still using an older version (before Firefox 128 or ESR 115.13+), it’s crucial to update to Firefox 128 or newer to avoid issues with add-ons, DRM-protected content, and other features.
Security, Web Browsers, Mozilla, Firefox, Certificates
4 points by superkuh 58 days ago | 1 comments
LetsEncrypt Automated Certificate Renewal in Advance with ARI (2024) (letsencrypt.org)
Following our previous post on the foundational benefits of ACME Renewal Information (ARI), this one offers a detailed technical guide for incorporating ARI into existing ACME clients.
Security, Certificates, ACME, Automation
3 points by metadat 73 days ago | 1 comments
We Issued Our First Six Day Cert (letsencrypt.org)
Earlier this year we announced our intention to introduce short-lived certificates with lifetimes of six days as an option for our subscribers. Yesterday we issued our first short-lived certificate.
Security, Certificates, Let's Encrypt
17 points by el_duderino 77 days ago | 7 comments
We Issued Our First Six Day Cert (letsencrypt.org)
Earlier this year we announced our intention to introduce short-lived certificates with lifetimes of six days as an option for our subscribers. Yesterday we issued our first short-lived certificate.
Security, Certificates, HTTPS, Let's Encrypt, Web Development
7 points by wapasta 78 days ago | 1 comments
Setting up a trusted, self-signed SSL/TLS certificate authority in Linux (previnder.com)
With OpenSSL, it’s pretty easy to generate a simple self-signed TLS certificate. Just run the following command:
Security, Linux, SSL/TLS, Certificates, OpenSSL
142 points by previnder 81 days ago | 37 comments
Let's Encrypt is ending expiration notice emails–for some good reasons (arstechnica.com)
To save money and protect privacy, the successful service won't bug you.
Security, Privacy, Email, Certificates
4 points by SGran 92 days ago | 1 comments
Practical HTTPS Interception: 20 Years of SSL/TLS Interception (thc.org)
TL;DR: An attacker can trick Let's Encrypt (LE) to issue new TLS certificates for any domain that the attacker intercepts traffic for. The attacker can then decrypt the TLS traffic. This one thing that TLS is supposed to prevent from happening. The fault is that LE uses cleartext HTTP to verify the ACME-challenge (which the attacker can intercept).
Security, HTTPS, TLS, Certificates, Hacking
4 points by ementally 95 days ago | 0 comments
Ten Years as a Free, Open, and Automated Certificate Authority (fosdem.org)
People deserve a secure and privacy-respecting Internet. Ubiquitous HTTPS is an essential part of delivering on that vision. To that end, our public benefit certificate authority has been issuing TLS certificates free of cost in a reliable, automated, and trustworthy manner for ten years. We went from issuing our first certificate in 2015 to servicing over 500,000,000 websites in 2025, and we’ve got big plans for the future.
Security, Open Source, Certificates, HTTPS, Internet
32 points by udev4096 96 days ago | 2 comments
The Slow Death of OCSP (feistyduck.com)
Everybody is talking about OCSP now because, just last month, at the end of 2024, Let’s Encrypt announced it was going to stop supporting online certificate revocation checking.
Security, Certificates, Internet Security
66 points by speckx 99 days ago | 12 comments
Honest Ahmed (2011) (mozilla.org)
This is a request to add the CA root certificate for Honest Achmed's Used Cars and Certificates. The requested information as per the CA information checklist is as follows:
Security, Certificates, Root Certificates
110 points by bitneuker 111 days ago | 46 comments
Six day and IP address certificate options in 2025 (letsencrypt.org)
This year we will continue to pursue our commitment to improving the security of the Web PKI by introducing the option to get certificates with six-day lifetimes (“short-lived certificates”). We will also add support for IP addresses in addition to domain names. Our longer-lived certificates, which currently have a lifetime of 90 days, will continue to be available alongside our six-day offering.
Security, Web PKI, Certificates, Domain Names, IP Addresses
197 points by SGran 113 days ago | 158 comments
Certificate Profile Selection (Let's Encrypt) (letsencrypt.org)
We are excited to announce a new extension to Let’s Encrypt’s implementation of the ACME protocol that we are calling “profile selection.” This new feature will allow site operators and ACME clients to opt in to the next evolution of Let’s Encrypt.
Security, Web Development, Certificates, Let's Encrypt, ACME Protocol
9 points by soheilpro 120 days ago | 0 comments
Let's Encrypt to end OCSP support in 2025 (scotthelme.co.uk)
Well, the writing has been on the wall for some years now, arguably over a decade, but the time has finally come where the largest CA in the World is going to drop support for the Online Certificate Status Protocol.
Security, Certificates
25 points by janandonly 126 days ago | 8 comments
Short-Lived Certificates Coming to Let's Encrypt (schneier.com)
Security, Let's Encrypt, Certificates
6 points by gnabgib 144 days ago | 0 comments
Let's Encrypt: 2024 Annual Report [pdf] (abetterinternet.org)
Security, Cybersecurity, Nonprofit, Certificates
10 points by dfern 149 days ago | 1 comments
ICP-Brasil: Mis-issued certificate (mozilla.org)
ICP-Brasil: Mis-issued certificate
Security, Certificates, Brazil
61 points by cipherboy 159 days ago | 3 comments
A Brazilian CA trusted only by Microsoft has issued a certificate for google.com (agwa.name)
Security, Google, Certificates, Brazil
482 points by sanqui 160 days ago | 215 comments
Just want simple TLS for your .internal network? (github.com/nh2)
Safely shareable TLS root CA for .internal networks using Name Constraints
Security, .NET, Networks, TLS, Certificates
245 points by nh2 203 days ago | 141 comments
Avoiding downtime: modern alternatives to outdated certificate pinning practices (cloudflare.com)
In today’s world, technology is quickly evolving and some practices that were once considered the gold standard are quickly becoming outdated.
Security, Web Development, Best Practices, Cloud Computing, Certificates
45 points by cpach 222 days ago | 36 comments
iOS 18 breaks IMAPS self-signed certs (apple.com)
iOS, Security, Email, Certificates
118 points by mmd45 233 days ago | 148 comments
Nvd.nist.gov cert expired yesterday and uses HSTS (nist.gov)
Security, Websites, Certificates
15 points by SuperSandro2000 249 days ago | 8 comments
All I Know About Certificates – Certificate Authority (pixelstech.net)
Security, Certificates, Technology, Digital Certificates
139 points by thunderbong 284 days ago | 26 comments
DigiCert Revocation Incident (CNAME Domain Validation) (digicert.com)
Security, Domain Validation, Certificates, Cybersecurity
141 points by vitaliyf 284 days ago | 49 comments
Intent to end OCSP service (letsencrypt.org)
Security, Internet Security, Certificates, SSL/TLS
415 points by soheilpro 290 days ago | 143 comments
Telekom Security: Revocation delay for TLS certificates (mozilla.org)
Security, TLS, Certificates
54 points by MaKey 294 days ago | 15 comments