I'm shocked that OpenSRS has the gall to claim they were blindsided by the CAB-mandated expiry changes, hell, there was a post in this mailing list well over a year ago about it! 

I don't know why anyone would keep paying for certs at this point, unless you desperately need some feature that LE can't provide (e.g. some of the more esoteric ACME validation options, maybe).

A lot of people will be changing DNS providers soon, so they can use DNS-01 challenge types, I expect. 

But, yeah, it's here, it's real, and it's a massive shake-up in what was already a desperately perverse marketplace (not Trevor, I mean the CAs).

-Adam

Get Outlook for Android
From: Trevor Cordes <trevor@tecnopolis.ca>
Sent: Sunday, April 12, 2026 2:34:05 AM
To: MUUG RndTbl <roundtable@muug.ca>
Subject: [RndTbl] shortened cert expiries
 
Anyone interested, first read the MUUG newsletter article on certs last
month:
https://muug.ca/pub/muuglines/pdf/muug2604.pdf
page 2

As a followup, it gets worse!  I just discovered that if you want to
impelment ACME to automate cert renewals with a for-pay cert company like
Digitcert (who after buying tons of people up is a massive share of the
market) you have to register with their "enterprise" system.

If you do that and migrate your certs then you are converting to a direct
sales model and can no longer buy from a reseller.  This is important for
me as I'm the reseller!  So a by-product of this move is they just killed
the reseller market, and undoubtedly not by accident.

Ya, I get it, but this doesn't just hurt the reseller, it hurts the
customer: because in many cases I was able to discount the cert vs retail
price.  Now you'll pay whatever retail price digicert says.

It looks like *my* upstream reseller (opensrs) could possibly implement
ACME, but they haven't yet, and claim to be blindsided by these expiry
changes, so I doubt can implement it anytime soon.  Apparently they can,
since select (few) other resellers are implementing ACME... but who knows
how all this would work.

In any event, all the decisions are being made *now* because as of a month
ago certs with the short expiries are needing to be renewed, and needing
automation because I'm not updating everyone's cert many times a year
(even 2).  Unless someone says "ACME is coming soon!" I'll have to tell
everyone to use Let's Encrypt and sell nothing but my time from now on.
Which is fine, but a vast departure from how I've sold/handled certs for
25 years, and impacts the relationship I have with my customers.

In this space, absolutely no one likes change or having to think about
"new things".  It needs to Just Work(tm).  Literally no one cares about
it unless it breaks, and the costs were so miniscule to companies that
even having to explain the new options is a waste of everyone's time.

All for, what, exactly?  CRL and quantum... ya, right.
_______________________________________________
Roundtable mailing list -- roundtable@muug.ca
To unsubscribe send an email to roundtable-leave@muug.ca