I'm a network administrator who frequently collaborates with our sysadmin team, and I'm trying to get a better understanding of how SSL/TLS certificate rotation is handled in real-world scenarios. In the past, we've typically rotated certificates every six months. However, with the new standard shifting to a 45-day expiration period, I'm curious about how others in the industry are managing this change. Are teams generating multiple certificates at once to front-load them, or are they automating the process somehow? Any insights or practices would help me get more educated on this topic!
4 Answers
I've been using win-acme, which comes with a bunch of scripts to automate the process based on different services. It can easily run tasks through the task scheduler, making things much easier.
It's important to note that the 45-day expiration only applies to publicly signed web server certificates. This simplifies things since you can manage public certificates via a WAF or reverse proxy like Cloudflare, while keeping longer-lasting private certificates for your internal servers.
Many people are using ACME protocols, like Let's Encrypt or internally hosted ACME compliant CAs such as Smallstep. There are various clients available, but certbot is the go-to for Linux, and win-acme works well for Windows. In our setup, we only handle 1-3 manual certificates for vendor appliances that don't support automation, among the hundreds we use. Most public-facing services utilize Let's Encrypt, while other certificates come from our internal PKI's ACME SubCA. Also, many load balancers and reverse proxy appliances have built-in support for Let's Encrypt.
Just to clarify, if you're using an internally hosted CA, the 45-day expiration rule doesn't apply.
Does anyone know of other internally hosted ACME CAs? I've only heard of Smallstep's step-ca.
A lot of people in the industry opt for commercial solutions like Venafi, KeyFactor, and AppViewX for certificate management. ACME with certbot is definitely a viable option for many as well.
You might want to check out simple-acme, which is a fork from the original creator and has ongoing updates.