The days of the three-year SSL cert are long gone. These days, you can only get a cert for up to 13 months. You can thank Google and Apple for this – they made a change in September 2020 within their browsers where they would not trust a certificate that was older than 398 days. They pushed for these shorter validity periods to enforce more stringent security standards. The good news is that you can automate SSL cert renewal – saving you time and sanity.
If a certificate is valid for just one year, the identity behind the certificate will be verified much more frequently. The hope is that the shorter validation intervals will cut down on bad actors.
Even when SSL certs could last three years, we had many clients who experienced pain and inconvenience, either by forgetting to renew or struggling to reapply the new certs to their websites, email servers, etc. Now that the frequency has effectively been halved, staying on top of renewing and/or re-applying your SSL certs has become, well, twice as annoying.
Let’s Encrypt is a nonprofit organization that provides 90-day public SSL certs for free. Certify The Web is a tool that leverages Let’s Encrypt’s free certs.
Certify the Web has a great free option called the Community Edition that can manage up to five different certificates per install. They also have paid versions consisting of different levels that allow you to manage more than five – up to an unlimited number of certificates, depending on the package.
Certify the Web uses the HTTP or DNS mechanism. The HTTP methods requires that port 80 is publicly accessible from the internet, which could pose some potential security policy challenges. The DNS option integrates with multiple DNS providers using an API to perform TXT record verification with Let’s Encrypt. This does not require port 80 to be exposed to the internet.
We prefer DNSMadeEasy for this – it’s very simple to integrate with Certify the Web.
Once the certificate verification has been performed and issued, there are several deployment paths that can be orchestrated via the Certify the Web tool. This allows you to sequence any other actions that are contingent upon your cert change, like rebinding IIS, Microsoft Exchange, or application-specific port bindings. We use a combination of PowerShell and Task Scheduler in Windows to orchestrate these types of changes during predefined maintenance windows. You can do almost anything via PowerShell or REST API – nearly everything has a Command Line option for port bindings.
We partner with a few other technologies like KEMP, Fortinet, AWS, or Azure, that provide Let’s Encrypt integration.
There are options to automate and integrate these pieces together without spending a whole lot of money. The best thing about Let’s Encrypt is that there’s no cost to the certificates. When you automate SSL cert renewal with Let’s Encrypt you can save money AND time!
Sometimes enhanced security can create some additional attention and work, but at the end of the day it’s worth it. Let us help you simplify your public SSL cert management – there are several low-cost and easy options!
If you’d like to learn more about this or have any additional questions or concerns, please call 502-240-0404 or send us an email at info@mirazon.com.