The 47-day TLS certificate is coming. Your renewal strategy probably won't survive. | Poal: Say what you want.

Welcome • User Guide
ToS • Privacy • Canary
Donate • Bugs • License

©2026 Poal.co

1.2K

•

The 47-day TLS certificate is coming. Your renewal strategy probably won't survive. (www.tidelock.dev)

Yeah, that's going to be so fucking "fun". So much shit is going to be breaking ALL THE FUCKING TIME.

Archive: (brkoen)

From the post:

>TLS certificate lifetimes are dropping from 398 days to 47 over the next three years. Here's what changes, why it's happening, and the eight things every platform team should fix before the first cliff in 2027. For the first ten years of the modern web's encrypted era, the median platform engineer thought about TLS certificates roughly twice a year. Renew. Click. Forget. By the late 2010s automation crept in. ACME took the click out, and most teams stopped thinking about certificates at all.

Yeah, that's going to be so fucking "fun". So much shit is going to be breaking ALL THE FUCKING TIME. Archive: (brkoen) From the post: >>TLS certificate lifetimes are dropping from 398 days to 47 over the next three years. Here's what changes, why it's happening, and the eight things every platform team should fix before the first cliff in 2027. For the first ten years of the modern web's encrypted era, the median platform engineer thought about TLS certificates roughly twice a year. Renew. Click. Forget. By the late 2010s automation crept in. ACME took the click out, and most teams stopped thinking about certificates at all.

You are currently inside a comment thread.

Click here to see all the comments (14).

[–] • 1 pt

We had a HUGE downtime - we are talking 50 hospitals (not known for being able to necessarily have the most up to date everything) on downtime procedures because the cert company changed their name and when the SSL cert was loaded onto one of the LDAP machines, anything using LDAP that didn't have the new root cert (anything out of windows support and probably even some of the newer stuff) just went boom. We updated the root cert for the software I support after a lot of help from the vendor since it's not something typically done, just to undo it when it was impossible for some of the older stuff to update.

We were up all night when one high level guy just said F it and bought a new cert on a company credit card from a well known company. They gave us no trouble, it was instant and it just worked. We are now going to be canceling and moving our contracts by the guys who decided to change their name on all their certs and refused to give us ones under the old name. The original vendor was awful and we just had some Indian saying he couldn't do anything, so the C level was like - fine, you can't do anything, we will.

parent
link