u/certkit

▲ 11 r/PKI+1 crossposts

The CA/Browser Forum's Ballot SC-081 is already in effect. 200-day max as of March 2026, 100 days in March 2027, 47 days in March 2029.

The math on renewal workload scales linearly: 50 certificates managed manually goes from ~50 renewals a year at 398 days to ~400 at 47 days. Same cert count, 8x the operations work.

Wrote up the canonical schedule and what it does to teams still running manual processes: https://www.certkit.io/blog/shrinking-certificate-lifetimes

certkit.io

u/certkit — 9 days ago

▲ 11 r/PKI+1 crossposts

Todd's Tenth Rule: any sufficiently complicated SSL certificate script contains a bad implementation of half a certificate lifecycle manager.

If you've been running Certbot in your environment for a few years, you've probably built most of a certificate management system without realizing it. The shared folder, the DNS creds in the script, the 30-day expiry email, the audit spreadsheet.

https://www.certkit.io/blog/todds-tenth-rule-certificate-automation

u/certkit — 17 days ago