I just got a notification from GoDaddy about the recent changes to SSL certificate validity periods being reduced significantly. With so many websites and devices requiring certificates, it's going to be a challenge to update them in such a limited timeframe, even if automation is possible. I'm curious to hear how everyone plans to address this situation. Any strategies or tools you're looking to implement? Thanks!
6 Answers
I’ve set up certbot with a renewal hook and monitored it for years without much hassle. It’s made the process pretty smooth! Just ensure you have external monitoring in place in case anything fails.
Absolutely! How do you handle root certificate renewals or revoked certs though?
I totally empathize! While Let's Encrypt works well for web, many appliances need certs but don't support automation. For instance, my firewall's got no straightforward automation options, which complicates everything. The shorter validity periods are going to make it a headache.
You can automate communication with your firewall through its API to push cert updates, which might help!
Exactly! At some point, vendors will have to come up with better solutions; they can't just ignore automation anymore.
We’re leveraging Cloudflare to handle SSL. They’ve got APIs that might help to automate the process. For devices that don't support it, I’m considering putting an Nginx proxy in front to handle the certificates.
You really need to look into Certificate Lifecycle Management tools. We’ve been using AppViewX and it’s pretty effective at automating our cert management process. With 200-day public certs on the horizon, it’s the right time to get these tools in place before deadlines tighten further.
We’ve been renewing our certs automatically through Let's Encrypt for years. As long as we monitor for any failures, it’s pretty hands-off!
That's a great point! One solid approach is to follow RFC 8555 for ACME. It’s a widely accepted standard for certificate lifecycle management that's been around for a while. If your current workflows aren’t set up for ACME, you have less than three years to adapt them.
I see your point, but I’d argue that ACME isn’t the only game in town. Some devices, like certain Cisco products, support protocols like EST or SCEP for certificate management.
True, but I'm not a fan of giving servers the ability to issue their own certs. If one gets compromised, it could lead to more significant issues. I'd rather just deal with compromised certs using the existing CRLs.
Can certbot work for servers that aren't publicly accessible? I mostly utilize AD CS, but it’d be nice to automate this.