You can issue a 15-year SSL certificate today. Why almost nobody does
panelica
·
2026-05-23
·
via Hacker News: Ask HN
|
|
|  | |
Expiry is optional on certificates. You can write your own using a library like OpenSSL and it will be respected by the browsers. What you linked to was an industry trade group voting on a bylaw. |
|  | |
Have you ever seen a no-expiry cert? Widely criticized as a mistake. The null-object of TLS. You cannot issue a publicly trusted TLS certificate with an empty expiry, or an expiry date more than 200 days away (as of March). If you want to talk about private CA, then the certs can follow all sorts of rules.. they don't even have to be about TLS.. they can be for SSH at that point. |
|  | |
People confuse themselves on this subject all the time. Expiry is optional. Is that a good idea? No. Expiry exists only to kill a certificate, intentionally, in a timely manner. That forces the consumer to handle their business before certificate compromise, because revocation and compromise each invoke a higher effort to mitigate to the issuer. |
| |  | |
Yes.. exactly.. you can't issue a 15y TLS (not SSL) cert today.. not in a usable way. If cloudflare stops proxying you, your cert is worth nothing (accepted by no one). You can create your own without the use of cloudflare.. you can set it to a 100y expiry if you feel like it. |
|
|

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact |
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。