As a network admin who frequently collaborates with sysadmins, I'm trying to grasp the best practices for rotating SSL/TLS certificates, especially now that the trend is shifting to a 45-day rotation schedule. In the past, certificate renewals happened around every six months, which was manageable. However, given that the timeframe has shortened significantly, I'm curious about how others in the industry are handling this process. Are you generating multiple certificates at once and applying them in advance, or have you implemented some form of automation to streamline the renewal process?
4 Answers
It's worth noting that the 45-day expiration mainly applies to public web server certificates. Using a WAF or reverse proxy like Cloudflare can make managing these certificates easier. You can handle public-facing certs with Let's Encrypt through Cloudflare while using a longer-lasting private certificate for your internal systems.
I've been using win-acme for my setup, and it comes packed with a variety of scripts that automate the renewal process for different services. It runs seamlessly with the task scheduler, which saves a lot of hassle.
A lot of us are leveraging ACME clients like Let's Encrypt or internal options like smallstep for our certificates. We mostly automate the process with tools like certbot for Linux or win-acme for Windows, which simplifies things. Nowadays, we might only handle 1-3 certificates manually for vendor appliances that don't support automation among a couple hundred we have. Many load balancers and reverse proxies support Let's Encrypt natively, which helps a ton!
In the industry, many people turn to commercial solutions like Venafi, KeyFactor, and AppViewX to manage their certificates more efficiently. While ACME and certbot are great free options, some prefer the structure and support that comes with paid services.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures