I'm shocked that OpenSRS has the gall to claim they were blindsided by the CAB-mandated expiry changes, hell, there was a post in this mailing list well over a year ago about it! I don't know why anyone would keep paying for certs at this point, unless you desperately need some feature that LE can't provide (e.g. some of the more esoteric ACME validation options, maybe). A lot of people will be changing DNS providers soon, so they can use DNS-01 challenge types, I expect. But, yeah, it's here, it's real, and it's a massive shake-up in what was already a desperately perverse marketplace (not Trevor, I mean the CAs). -Adam Get Outlook for Android<https://aka.ms/AAb9ysg> ________________________________ From: Trevor Cordes <trevor@tecnopolis.ca> Sent: Sunday, April 12, 2026 2:34:05 AM To: MUUG RndTbl <roundtable@muug.ca> Subject: [RndTbl] shortened cert expiries Anyone interested, first read the MUUG newsletter article on certs last month: https://muug.ca/pub/muuglines/pdf/muug2604.pdf page 2 As a followup, it gets worse! I just discovered that if you want to impelment ACME to automate cert renewals with a for-pay cert company like Digitcert (who after buying tons of people up is a massive share of the market) you have to register with their "enterprise" system. If you do that and migrate your certs then you are converting to a direct sales model and can no longer buy from a reseller. This is important for me as I'm the reseller! So a by-product of this move is they just killed the reseller market, and undoubtedly not by accident. Ya, I get it, but this doesn't just hurt the reseller, it hurts the customer: because in many cases I was able to discount the cert vs retail price. Now you'll pay whatever retail price digicert says. It looks like *my* upstream reseller (opensrs) could possibly implement ACME, but they haven't yet, and claim to be blindsided by these expiry changes, so I doubt can implement it anytime soon. Apparently they can, since select (few) other resellers are implementing ACME... but who knows how all this would work. In any event, all the decisions are being made *now* because as of a month ago certs with the short expiries are needing to be renewed, and needing automation because I'm not updating everyone's cert many times a year (even 2). Unless someone says "ACME is coming soon!" I'll have to tell everyone to use Let's Encrypt and sell nothing but my time from now on. Which is fine, but a vast departure from how I've sold/handled certs for 25 years, and impacts the relationship I have with my customers. In this space, absolutely no one likes change or having to think about "new things". It needs to Just Work(tm). Literally no one cares about it unless it breaks, and the costs were so miniscule to companies that even having to explain the new options is a waste of everyone's time. All for, what, exactly? CRL and quantum... ya, right. _______________________________________________ Roundtable mailing list -- roundtable@muug.ca To unsubscribe send an email to roundtable-leave@muug.ca