The CA/Browser Forum has officially voted to amend the TLS Baseline Requirements to set a schedule for shortening both the lifetime of TLS certificates.
I’ve proposed using Let’s Encrypt but my coworkers believe there would be a perception issue with us using a “free” TLS certificate provider. I work for a popular internet search engine so it’s a reasonable worry.
It just seems like LE has the most efficient automatic renewal setup, though I haven’t looked in detail at other providers.
That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let’s encrypt is bad because it’s free?
There can be theoretical audit or blame issues , since you’re not “paying” then how does the company pass the buck (SLA contracts) if something fucks up with LE.
I’ve proposed using Let’s Encrypt but my coworkers believe there would be a perception issue with us using a “free” TLS certificate provider. I work for a popular internet search engine so it’s a reasonable worry.
It just seems like LE has the most efficient automatic renewal setup, though I haven’t looked in detail at other providers.
That sound weird to me. How big is the population of people who are technical enough to even check what certificate provider you are using but ignorant enough to think that let’s encrypt is bad because it’s free?
Managers.
There can be theoretical audit or blame issues , since you’re not “paying” then how does the company pass the buck (SLA contracts) if something fucks up with LE.
LetsEncrypt also built ACME, so they’re the primary port for testing RFC8555. They’re just gonna work better at it.
But, as above, maybe Digi is still the way for you, with the right tooling glued in.
Good luck!