I've heard that starting in 2029, the Certification Authority Browser Forum will cut the duration of TLS certificates from over 300 days down to just 47 days. This means we need to start thinking about automating the renewal process for our certificates. I plan to use Nginx Proxy Manager for this, but I see that it only generates certificates from Let's Encrypt, which won't work for us since we already have a wildcard certificate provider. Plus, Let's Encrypt certificates don't include important details like the common name, city, or country, which are vital for our business needs. How are others planning to automate certificate management in light of these changes?
5 Answers
I've been using Let's Encrypt for about 6 years for my business, too. I wasn't aware that we absolutely needed fields like city or country in our certificates. Is that really a requirement now?
Make sure to evaluate your infrastructure needs. ACME isn't just for Let's Encrypt; DigiCert has an ACME API too. The financial aspect can vary, but using Azure Key Vault could streamline things if you go with DigiCert. For us, we transitioned our Azure websites to manage certificates through Azure's integrated service, which is included in the web service price. If ACME isn’t directly supported, we have a VM that handles the work and uses custom scripts for installation.
If you're open to more hands-on setup, I’d recommend using pure Nginx instead of Nginx Proxy Manager. You can set up cron jobs for renewing certificates and use Nginx to manage everything. It offers more flexibility than Proxy Manager.
Nginx Proxy Manager doesn't really support custom ACME URLs, so you might want to consider using a different proxy tool like Caddy. It does support custom ACME URLs and might better suit your needs. Here’s the documentation link for you: https://caddyserver.com/docs/caddyfile/directives/tls#dir
You can actually use Let's Encrypt to issue wildcard certificates as long as you use the DNS-01 challenge method. Having a wildcard certificate from another CA shouldn’t be a problem. However, if you need Organization Validation (OV) certificates, then you’ll have to use a different CA. I recommend 'Certify The Web' which supports various CAs including Sectigo for more detailed certificates.
Thanks for the tip! I wasn’t aware of Caddy but it looks like it could really fit my requirements.