You can issue a 15-year SSL certificate today. Why almost nobody does
Read More https://panelica.com/blog/15-year-ssl-certificate-cloudflare-origin-implementation
3 分 | 作者 panelica 15小时前
1 条评论
- gnabgib 15小时前No.. you can't. 200 days is the max today. (Unless you're talking about a Private CA)
https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-sch...
- austin-cheney 14小时前Expiry is optional on certificates. You can write your own using a library like OpenSSL and it will be respected by the browsers. What you linked to was an industry trade group voting on a bylaw.
- gnabgib 14小时前Have you ever seen a no-expiry cert? Widely criticized as a mistake. The null-object of TLS.
You cannot issue a publicly trusted TLS certificate with an empty expiry, or an expiry date more than 200 days away (as of March). If you want to talk about private CA, then the certs can follow all sorts of rules.. they don't even have to be about TLS.. they can be for SSH at that point.
- austin-cheney 9小时前People confuse themselves on this subject all the time.
Expiry is optional. Is that a good idea? No.
Expiry exists only to kill a certificate, intentionally, in a timely manner. That forces the consumer to handle their business before certificate compromise, because revocation and compromise each invoke a higher effort to mitigate to the issuer.
- 8organicbits 14小时前Cloudflare origin CA is a private CA, so the CABF doesn't apply.
- gnabgib 14小时前Yes.. exactly.. you can't issue a 15y TLS (not SSL) cert today.. not in a usable way. If cloudflare stops proxying you, your cert is worth nothing (accepted by no one).
You can create your own without the use of cloudflare.. you can set it to a 100y expiry if you feel like it.
- panelica 14小时前[flagged]
- panelica 14小时前[flagged]