On Mon, May 26, 2025 at 8:25 AM Tim via users <users@lists.fedoraproject.org> wrote: > > Samuel Sieb: > > > If you want a recognized certificate, you either have to buy one or you > > > can use certbot to get a free one from https://letsencrypt.org/. You > > > need to remember to renew it regularly. I think they're valid for 3 > > > months at a time. That's what I use. > > Patrick O'Callaghan: > > IIRC it's now down to 14 days, but certbot takes care of it > > automatically. > > Why so short?
To reduce the size of Certificate Revocation List (CRL), and recover quickly from a compromised host. Conventional wisdom is, browsers don't download CRLs or OCSP, so a short validity closes the gap in browser behavior. Let's Encrypt has actually proposed a 3-day lifetime. See "Concerns about very-short-lived certificates," <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/_335unOyteQ/m/9sH7ozVCAQAJ>. Jeff -- _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
