Sysadmins Rage Over Apple’s ‘Nightmarish’ SSL/TLS Cert Lifespan Cuts – Slashdot
The Register’s Jessica Lyons reports: Apple wants to shorten SSL/TLS security certificates’ lifespans, down from 398 days now to just 45 days by 2027, and sysadmins have some very strong feelings about this “nightmarish” plan. As one of the hundreds that took to Reddit to lament the proposal said: “This will suck. My least favorite vendor manages something like 10 websites for us, and we have to provide the certs manually every time. Between live and test this is gonna suck.”
The Apple proposal, a draft ballot measure that will likely go up for a vote among Certification Authority Browser Forum (CA/B Forum) members in the upcoming months, was unveiled by the iThings maker during the Forum’s fall meeting. If approved, it will affect all Safari certificates, which follows a similar push by Google, that plans to reduce the max-validity period on Chrome for these digital trust files down to 90 days.
… [W]hile it’s generally agreed that shorter lifespans improve internet security overall — longer certificate terms mean criminals have more time to exploit vulnerabilities and old website certificates — the burden of managing these expired certs will fall squarely on the shoulders of systems administrators. […] Even certificate provider Sectigo, which sponsored the Apple proposal, admitted that the shortened lifespans “will no doubt prove a headache for busy IT security teams, juggling with lots of certificates expiring at different times.” While automation is often touted as the solution to this problem, sysadmins were quick to point out that some SSL certs can’t be automated. “This is somewhat nightmarish,” said one sysadmin. “I have about 20 appliance like services that have no support for automation. Almost everything in my environment is automated to the extent that is practical. SSL renewal is the lone achilles heel that I have to deal with once every 365 days.”