You can issue a 15-year SSL certificate today. Why almost nobody does

2 pointsby panelica2 hours ago1 comment

gnabgib2 hours ago
No.. you can't. 200 days is the max today. (Unless you're talking about a Private CA)
https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-sch...
- austin-cheney2 hours ago
  Expiry is optional on certificates. You can write your own using a library like OpenSSL and it will be respected by the browsers. What you linked to was an industry trade group voting on a bylaw.
  - gnabgiban hour ago
    Have you ever seen a no-expiry cert? Widely criticized as a mistake. The null-object of TLS.
    You cannot issue a publicly trusted TLS certificate with an empty expiry, or an expiry date more than 200 days away (as of March). If you want to talk about private CA, then the certs can follow all sorts of rules.. they don't even have to be about TLS.. they can be for SSH at that point.
- 8organicbitsan hour ago
  Cloudflare origin CA is a private CA, so the CABF doesn't apply.
  - gnabgiban hour ago
    Yes.. exactly.. you can't issue a 15y TLS (not SSL) cert today.. not in a usable way. If cloudflare stops proxying you, your cert is worth nothing (accepted by no one).
    You can create your own without the use of cloudflare.. you can set it to a 100y expiry if you feel like it.
    panelicaan hour ago
    [flagged]
- panelica2 hours ago
  [flagged]