WelcomeUser Guide
ToSPrivacyCanary
DonateBugsLicense

©2026 Poal.co

141

Yeah, that's going to be so fucking "fun". So much shit is going to be breaking ALL THE FUCKING TIME.

Archive: (brkoen)

From the post:

>TLS certificate lifetimes are dropping from 398 days to 47 over the next three years. Here's what changes, why it's happening, and the eight things every platform team should fix before the first cliff in 2027. For the first ten years of the modern web's encrypted era, the median platform engineer thought about TLS certificates roughly twice a year. Renew. Click. Forget. By the late 2010s automation crept in. ACME took the click out, and most teams stopped thinking about certificates at all.

Yeah, that's going to be so fucking "fun". So much shit is going to be breaking ALL THE FUCKING TIME. Archive: (brkoen) From the post: >>TLS certificate lifetimes are dropping from 398 days to 47 over the next three years. Here's what changes, why it's happening, and the eight things every platform team should fix before the first cliff in 2027. For the first ten years of the modern web's encrypted era, the median platform engineer thought about TLS certificates roughly twice a year. Renew. Click. Forget. By the late 2010s automation crept in. ACME took the click out, and most teams stopped thinking about certificates at all.
[–] 3 pts

We've been losing our minds over this at work. I ended up writing up step-by-step instructions for how to do it since my team can't keep up. We've passed it off to "support" who are retards and so far have had to call the vendor for the past 3 systems because they won't read the documentation. And no, it can't be automated with the crapass software we use. Why we even use SSL on a completely internal server with only people on VPN accessing it, I'll never understand. I'm sure it has something to do with our jeet cybersecurity team.

[–] 2 pts

That is part of the problem I am looking at. Some systems require a very specific cert from a specific company (because of old hardware in the field) and without it.. It's a big f-ing problem.

That company currently has no method to auto-renew and deliver a cert. No vendors have integrations to do it currently either. It's a bitch and a half. That is for sure.

For all other stuff? We have proper auto-renew stuff already setup and working. Its just this legacy stuff that is a pain and there is a absolute fuck ton of that old hardware in the field that can't be replaced or updated to use a different CA.

[–] 1 pt

We had a HUGE downtime - we are talking 50 hospitals (not known for being able to necessarily have the most up to date everything) on downtime procedures because the cert company changed their name and when the SSL cert was loaded onto one of the LDAP machines, anything using LDAP that didn't have the new root cert (anything out of windows support and probably even some of the newer stuff) just went boom. We updated the root cert for the software I support after a lot of help from the vendor since it's not something typically done, just to undo it when it was impossible for some of the older stuff to update.

We were up all night when one high level guy just said F it and bought a new cert on a company credit card from a well known company. They gave us no trouble, it was instant and it just worked. We are now going to be canceling and moving our contracts by the guys who decided to change their name on all their certs and refused to give us ones under the old name. The original vendor was awful and we just had some Indian saying he couldn't do anything, so the C level was like - fine, you can't do anything, we will.

[–] 2 pts

So last time I battled this, I setup some corn job to do an auto re-issue as needed. Think the logic as I remember is “check cert exp, if tomorrow, re-gen” Forgot the provider or the script but it’s out there. Seems to work. And with this logic, they can make it daily for all I fucking care.

If anyone wants details I’ll go dig out my notes.

[–] 2 pts

Yeah, that won't work well with a bunch of legacy stuff and a TON of companies are going to fuck up not renewing or building an automated renewal process for various critical but obscure targets (this already happens all of the fucking time, even for huge companies).

[–] 1 pt

So how does it not work with legacy? What legacy shit actually uses certs? Nothing in my mfg/prod/semi world used certs.

And even if it did, how does renewing the cert not work?

[–] 0 pt

Place I work at uses a PBX that only allows you to install a cert manually via GUI. We tried to automate it but literally cannot be done any other way. Shit is stupid but we can't move to something else because the renewal is so cheap and management doesn't want to deal with setting up something new.

[–] 1 pt

Why 47 days?

[–] 2 pts

The current theory is because of post-quantum. The idea being if you rotate keys/certs often enough it won't matter if it gets cracked (not true if you have the ability to just store all of that data and crack it offline later).

It sounds retarded to me.

[–] 1 pt

Yeah, gotta suspect it’s the amount of time most likely to catch people and systems out, optimal for chaos.

[–] 1 pt

I fucking hate certs. It's such a fucking racket.

[–] 0 pt

Also, all My certs are like 90 days now….

[–] 1 pt

Also all your certs are belong to us.