Angus Robertson 650 Posted May 1 Currently, SSL/TLS certificates may be issued for a maximum period of 398 days, before renewal is required. The CA/Browser Forum recently voted to reduce this life span period in steps over the next four years. From 15th March 2026, life span is reduced to 200 days. From 15th March 2027, life span is reduced to 100 days. From 15th March 2029, life span is reduced to 47 days, but only 10 days for domain control validated certificates, such as most free certificates. These reduced life times reduce the effort needed to block compromised certificates, but also make manually updating server certificates more onerous. The Automatic Certificate Management Environment (ACME) developed by Let's Encrypt and used by many web servers, is now supported by other certificate vendors to issue free and commercial certificates automatically, and will hopefully be fully integrated with all major web servers by 2029. Let's Encrypt is adding a certificate profile to the ordering process, allowing alternate certificate types to be ordered, including six day life certificates later this year. It has also added a ACME command to get recommended renewal information, which is currently 30 days before a 90 day certificate expires. Applications are recommended to check renewal information regularly, currently every six hours, to check if certificates have been revoked. This will be important this summer when Let's Encrypt closes down the Online Certificate Status Protocol currently used to check if certificates are validly issued. A new version of the ICS TSslX509Certs component is currently being tested with these new ACME features, it will also attempt to support ordering certificates from Bypass, ZeroSSL, Google, DigiCert and ssl.com, although these most of these need accounts to be opened at the issuer before the ACME protocol can be used, so testing will not be quick and not all may be available initially. The main difference from Let's Encrypt is external accounting fields to link to the supplier's account, instead of just a public key. Minor changes to IcsHosts are needed for the ICS web server to handle certificate profiles and alternate suppliers, and to regularly update renewal information. These changes are already done in the OverbyteIcsX509CertsTst sample that is used to create ACME accounts and place certificate orders, that can be validated by an internal web server, external web servers such as Windows IIS and Windows Apache, and by Windows DNS server for wild card certificates. The sample supports multiple accounts for different suppliers, listing the status of all orders for those suppliers, and allowing ordering and renewals with a few clicks. I'll update this topic when the ICS web server is updated, hopefully within a week or two, meanwhile could anyone that has looked at alternate ACME suppliers let me know, to help with testing. Angus 9 1 Share this post Link to post
Tommi Prami 147 Posted May 2 15 hours ago, Angus Robertson said: Currently, SSL/TLS certificates may be issued for a maximum period of 398 days, before renewal is required. The CA/Browser Forum recently voted to reduce this life span period in steps over the next four years. From 15th March 2026, life span is reduced to 200 days. ... Do you have any good sources of this? (To send people that might be interested) Share this post Link to post
Angus Robertson 650 Posted May 2 https://www.theregister.com/2025/04/14/ssl_tls_certificates/ https://www.feistyduck.com/newsletter/issue_124_certificate_lifetimes_to_shrink_to_just_forty_seven_days and numerous other sites that reported the same April vote, although https://cabforum.org/ has not yet been updated with the minutes of the meeting, or at least I can not find them. If you are interested in SSL/TLS, subscribe to the Feisty Duck monthly newsletter, it collects all the news. Angus Share this post Link to post
Angus Robertson 650 Posted Saturday at 11:26 AM SVN and the overnight zip have been updated with a new ICS beta, with a lot of SSL/TLS changes. Took a little longer than expected due to adding support for new certificate suppliers and a major sample upgrade. Since Let's Encrypt introduced the ACME (Automatic Certificate Management Environment) protocol to download SSL/TLS certificates, other suppliers have added automated ordering using the same API, mostly with extra account information for commercial certificates. ICS has been tested successfully with free certificates from Google Trust Services and Buypass, and should work with DigiCert, ZeroSSL and SSLcom, but these last three are primarily commercial suppliers and need prepaid accounts, so not tested yet. Google Trust Services offers an excellent alternate to Let's Encrypt and offers almost the same free certificates up to 90 days with multiple wildcards, but allows the expiry days to be specified during ordering, down to three days. Some companies were reluctant to use Let's Encrypt when there was no alternative in case of extended down time, now Google offers that alternate. Bypass is a Norwegian business, offers free 180 day certificates but no wild cards and only five domains per certificate, but may be suitable for those that don't want to use American certificates. Apart from Let's Encrypt and Buypass, suppliers use ACME external accounting to tie the ordering process to web site accounts, which is explained in comments in the OverbyteIcsSslX509Certs unit, more information will be added and the wiki pages updated before release. Google needs the Google Cloud CLI Windows application installing, type a few commands and you get the external account information Acme needs. The OverbyteIcsX509CertsTst sample has a major revision to support multiple account suppliers and to specify the external accounting information. The sample needs to be run on any servers that will order certificates to create the initial Acme account (except for Let's Encrypt), and includes a web server allowing test certificates to be ordered provided DNS points to a public IP on the server. Most suppliers provide a testing endpoint which is listed in OverbyteIcsX509CertsTst so you can order fake certificates to understand the process. OCSP is being deprecated by the industry in favour of shorter expiry certificates, Let's Encrypt stopped adding an OCSP URL to certificates in May 2025 and will turn off it's OCSP servers in August 2025. This means OCSP Stapling no longer works, nor checking OCSP during chain verification. ICS has two new defines OpenSSL_OcspStaple and OpenSSL_OcspChains defaulting to false, that need to set to enable ICS to continue using OCSP for any suppliers still supporting it. The default saves a lot of extra OCSP code being linked into applications. When existing projects with server components are opened, 'Error reading: xx: Property OcspSrvStapling does not exist' may appear, just click past it and the property will be removed from the form. To replace OCSP for servers, the ACME specification now supports a renewal information API, that for each certificate provides a recommended date range when the certificate should be renewed, which may change dynamically if the certificate is revoked. ICS servers now check certificate renewal information, usually every six hours. ACME certificate profiles are now supported, currently Let's Encrypt only, default classic, optional tlsserver and shortlived (7 day, not yet available). Angus 1 Share this post Link to post
DelphiUdIT 244 Posted Saturday at 03:24 PM 3 hours ago, Angus Robertson said: Google Trust Services offers an excellent alternate to Let's Encrypt and offers almost the same free certificates 3 hours ago, Angus Robertson said: Google needs the Google Cloud CLI Windows application installing It looks like Google wants a paid account too. After that the certificate is going to be free... I tried the Acme version with Let's Encrypt and with Buypass and all is working. Share this post Link to post
Angus Robertson 650 Posted Saturday at 06:11 PM (edited) Yes, you need a Google account with credit card details, but there is no charge for ACME issued certificates. I just used my Google Play account from Android (I think), or maybe my Google maps account (they send an invoice monthly, for zero), somehow the Command Line Tool just worked, I explain briefly in the supplier notes in the OverbyteIcsSslX509Certs unit, but will do it properly in a wiki page, or look at: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial The product manager made some interesting comments about Google's intentions at https://community.letsencrypt.org/t/acme-support-in-google-s-ca/174736/38?page=2 Angus Edited Saturday at 06:14 PM by Angus Robertson Share this post Link to post
![Delphi-PRAXiS [en]](https://en.delphipraxis.net/uploads/monthly_2018_12/logo.png.be76d93fcd709295cb24de51900e5888.png){kind=logo}
