So, about a year ago I renewed my SSL certificates, and I was using StartSSL as my certificate provider, because they were free, if a little awkward to use. One of the limitations they placed on the free certs is that they could only be valid for a year. At the time I was interested to see what would become of Let's Encrypt as it promised not only free certificates, but a much easier way to get, and manage those certificates. They went live in April this year. I have been considering setting up my cert through Let's Encrypt, and renewing my SSL certificate was the perfect opportunity to do so, however, I have not got myself into a possition to fully automate the renewal of all the places I use my SSL certificate, so while it is still a manual process, and I got the reminder from StartSSL I figured why not give them another go.

So the Good news first, the Cert I have got is valid for three years, not limited to one (although that may not be as much of a positive as it once was, but more on that later), it allows Subject Alternative Names, which the free certs never used to be allowed (apart from the root domain that was included anyway), The web interface for StartSSL has improved massively, and they offer an API (although as validations are still manual I'm not sure how useful that is at this time), what is more interesting to me is the fact that there are no longer any warnings about only being allowed one valid cert for each sub domain at a time that I saw last time I renewed my certificate. This means when I get around to setting up a propper hosting account and putting my site on the internet proper (or indeed if, given how long I've been putting this particular task off) I will be able to get a different cert with a different key, for each instance of my site I choose to have live, and it will still all work. Competition is a good thing.

And as always, the bad news follows. The cert is valid for 3 years, this means three years before I renew the key (I am pretty lazy after all) which shouldn't be a problem if I manage to keep it secure, I assume I can do so, but I know enough about computers to know that I cannot guarantee that, so good practice is to cycle the key every so often, and although a three year cert is easy to manage (for three years at least) I fear that startssl are missing the big selling point of Let's Encrypt, who only offer three month certs, and are aiming to offer shorter certs in the future, not the free certs themselves but the ease of management that comes with automation, and good tools. It is far easier to manage something if it is automated, to the point that if I do get a hosted server I will almost certainly move to Let's Encrypt, and automate the renewal of the certificates.

posted at 08:27:21 PM on 22 Sep 2016 by Craig Stewart

Tags:opinion sysadmin security ssl