As previously announced, over the next two years we will be switching the default certificate lifetime from 90 days to 64 days, and then 45 days. This will ultimately double the number of certificate renewal requests each day: today we expect renewal around day 60 (of a 90-day certificate), while in the future we expect renewal around day 30 (of a 45-day certificate). If you use an ACME client that supports ARI, this will happen automatically.
The good news for subscribers is that you don’t need any changes to your rate limits, whether you are using our default limits or have requested an override. Our rate limits affect issuance for new domain names (or groups of domain names), but renewals are exempt. So, for instance, if you are managing a set of 15,000 certificates that you continually renew, and create 250 new certificates (with new domain names) each day, you will be well within our limits both before and after the transition. The 250 new certificates daily will still be well under our New Orders per Account limit of 300 per day. And the 15,000 existing certificates will continue to be unaffected by rate limits, whether your ACME client is renewing them every sixty days or every thirty.
Facts Only
Organizational change: default certificate lifetime reduction from 90 days to 45 days in two stages
Affected users: those without ACME clients supporting Automatic Renewal Indicator (ARI)
Unaffected users: those with ARI-compatible clients
Existing rate limits for subscribers will remain unchanged
Executive Summary
Full Take
In analyzing this situation, it's important to consider the motivations behind the organization's decision. One potential factor could be security enhancement, given that shorter certificate lifetimes reduce vulnerability to outdated certificates. However, the change may also present challenges for users managing a high volume of certificates. It's crucial for these users to ensure their ACME clients support ARI to facilitate automatic renewals.
Patterns detected: none
Root cause: The decision appears driven by a desire for increased security and updated certificate management practices.
Implications: The change benefits the organization's security posture but may pose operational challenges for users managing numerous certificates without ARI-compatible clients.
Bridge questions: How will this change impact the user experience? What steps should users take to ensure smooth operation with the new certificate lifetimes? Are there potential downsides to the shorter certificate lifetimes that have not been addressed in the announcement?