Let’s Encrypt, a prominent certificate authority, has recently unveiled plans to introduce short-lived certificates with a lifespan of six days and support for certificates issued for IP addresses by the year 2025. This strategic move is part of the organization’s ongoing efforts to enhance the security infrastructure of the Web Public Key Infrastructure (PKI), with the aim of making secure connections more accessible and manageable for users worldwide.
The introduction of short-lived certificates, which will run alongside the existing 90-day certificates, is a significant development that offers users greater flexibility in maintaining their secure connections. These short-lived certificates are made possible by an upcoming update to the Automated Certificate Management Environment (ACME) API, allowing subscribers to easily transition to this new certificate profile.
One of the key benefits of short-lived certificates is their potential to bolster security measures. In the event that the private key associated with a certificate is compromised, traditional advice would be to revoke the certificate. However, the revocation process can be unreliable, leading to compromised certificates remaining active until they naturally expire. By significantly reducing the certificate lifetime to just six days, Let’s Encrypt aims to narrow the compromise window, thereby decreasing reliance on revocation methods. Furthermore, these short-lived certificates will not include Online Certificate Status Protocol (OCSP) or Certificate Revocation List (CRL) URLs, underscoring the importance of automation in certificate management to ensure a streamlined and secure user experience.
In addition to the introduction of short-lived certificates, Let’s Encrypt will also enable users to secure TLS connections associated with IP addresses. This feature allows service providers to obtain trusted certificates for services accessed via IP addresses, eliminating the need for domain names. The validation process for IP addresses will mirror that of domain names, utilizing http-01 and tls-alpn-01 challenge types, while the dns-01 challenge type will not be applicable as DNS plays no role in IP address validation. This expansion of use cases for Let’s Encrypt signifies a proactive response to the changing landscape of web security requirements, demonstrating the organization’s commitment to adapt and evolve with the industry’s needs.
The scheduled issuance of the first short-lived certificates is set for February 2025, with a limited rollout for early adopters planned for April and broader availability expected by the year’s end. While the initial short-lived certificates may not support IP addresses, Let’s Encrypt is dedicated to enabling this feature by the time of general release, ensuring comprehensive support for various use cases.
As users prepare to access the new certificates, it will be essential to utilize an ACME client that supports the updated certificate profiles. Further details on the profile names will be provided in due course, simplifying the process for users requesting an IP address in a certificate by automatically selecting a short-lived certificate profile. With these innovative advancements, Let’s Encrypt is poised to make significant contributions to web security, aligning with its core mission to promote safe and encrypted connections for all users across the internet.