1715455 - Let's Encrypt: certificate lifetimes 90 days plus one second

submited by
Style Pass
2021-06-09 10:00:08

Let’s Encrypt is well-known for issuing certificates that are valid for only 90 days. Since the very first certificates issued by Let’s Encrypt’s infrastructure, those certificates have been given a 90 day validity period by our CA software by taking the issuance time and adding exactly 2,160 hours to yield the certificate’s “not after” date. However, RFC 5280 defines the validity period of a certificate as being the duration between the “not before” and the “not after” timestamps, inclusive. This inclusivity means that Let’s Encrypt’s certificates have all been actually valid for 90 days plus 1 second.

ISRG CPS v3.2 Section 7.1 states that end-entity certificates have a lifetime of 90 days. Section 6.3.2 states that lifetimes will be less than 100 days, but we understand that we are responsible for the more specific lifetime stated in Section 7.1.

Note that CPS v3.3 was released on June 8, 2021, and changed Section 7.1 to match Section 6.3.2 in stating that end-entity certificates will have a lifetime of less than 100 days, but most unexpired certificates issued by Let’s Encrypt at this time were issued under CPS v3.2. We chose to remediate this issue as if the CPS change had not already brought us into compliance for future issuance, mainly in order to prevent future issues with certificate lifetime configuration.

Leave a Comment