Community Expert

Resuelto

OT: New Policy on SSL Renewals

Forum|Forum|4 years ago
August 26, 2021
1 respuesta
3132 visualizaciones

I always purchase my SSL/TLS certs for multiple years to save money. It's one less thing to think about for a while...

This year I renewed certs for multiple domains for 3 years as before. But instead of expiring in 2024, they all expire in 12 months. DRAT! Evidently, the policy changed last year. A newly generated CSR is required every 12 months now.

Other

Este tema ha sido cerrado para respuestas.

Mejor respuesta de B i r n o u

yes, it's true that the security policy has changed on this side. even the latest versions of browsers no longer accept certificates that last for more than a year without renewal.

Just a question, I imagine that you have an independent server, and thus not a shared principle... why then remain on the paying certificates... why not use Let's Encrypt ?... it's just a question to understand not to advise.

B i r n o uRespuesta

Legend

yes, it's true that the security policy has changed on this side. even the latest versions of browsers no longer accept certificates that last for more than a year without renewal.

Just a question, I imagine that you have an independent server, and thus not a shared principle... why then remain on the paying certificates... why not use Let's Encrypt ?... it's just a question to understand not to advise.

Nancy OShea

Autor

Community Expert

Let's Encrypt is a group non-profit org that issue FREE Domain Verified certs to anybody who wants them, phishing sites included. They answer to no one except themselves.

You might say "any encryption is better than no encryption." And for most amateur/hobby & vanity sites that don't do anything critical, that's true. But beyond that, you get what you pay for which isn't much. LE offers no technical support. And LE's free certs provide no warranty protection in the event of failures on their end.

Why Let's Encrypt is a Really, Really Bad Idea

https://medium.com/swlh/why-lets-encrypt-is-a-really-really-really-bad-idea-d69308887801

Businesses and particularly those who fall under PCI-DDS and HIPAA umbrellas have to carefully consider what legal recourse their customers have in suing them in the event of a data breach. And this should be done in consultation with the business owner's attorney.

BEST PRACTICE:

============

Depending on your needs, choose CA's that offer higher than Domain Verified (DV) assurance. Organization Verified (OV) and Extended Organization Verified (EV) trusts cost more.

Use well-respected and recognized CAs with a proven track record, technical support and a fiduciary responsibility to other entities (stockholders).

Comodo CA, Sectigo, Symantec, Thawte, GeoTrust, DigiCert, RapidSSL, etc...

Choose certificate warranties that range from $10,000 to $2 million+ in liability coverage.

Use 256-bit or higher encryption strength. If your server doesn't support 256-bit, find a better web host.

Nancy O'Shea— Product User & Community Expert

O

osgood_

Legend

If you feel that

'You can pull a person out of dumbland, but you will never take dumbland out of a person.'

applies to you, then you have said it, not me.

If you feel that
'You can pull a person out of dumbland, but you will never take dumbland out of a person.'
applies to you, then you have said it, not me.

By @BenPleysier

I could ask you why you felt the need to write it if YOU feel it didn't apply to me. Can't think of another reason unless you were refering to yourself, which of course youre at liberty to clarify.........maybe wait until after your course of treatment, you might feel a bit less confused.

Regístrese

Social Login

Bienvenido

Social Login

Escaneando el archivo en busca de virus

Este archivo no se puede descargar