Expiry is optional on certificates. You can write your own using a library like OpenSSL and it will be respected by the browsers. What you linked to was an industry trade group voting on a bylaw.
Have you ever seen a no-expiry cert? Widely criticized as a mistake. The null-object of TLS.
You cannot issue a publicly trusted TLS certificate with an empty expiry, or an expiry date more than 200 days away (as of March). If you want to talk about private CA, then the certs can follow all sorts of rules.. they don't even have to be about TLS.. they can be for SSH at that point.
People confuse themselves on this subject all the time.
Expiry is optional. Is that a good idea? No.
Expiry exists only to kill a certificate, intentionally, in a timely manner. That forces the consumer to handle their business before certificate compromise, because revocation and compromise each invoke a higher effort to mitigate to the issuer.
Yes.. exactly.. you can't issue a 15y TLS (not SSL) cert today.. not in a usable way. If cloudflare stops proxying you, your cert is worth nothing (accepted by no one).
You can create your own without the use of cloudflare.. you can set it to a 100y expiry if you feel like it.
No.. you can't. 200 days is the max today. (Unless you're talking about a Private CA)
https://cabforum.org/2025/04/11/ballot-sc081v3-introduce-sch...
Expiry is optional on certificates. You can write your own using a library like OpenSSL and it will be respected by the browsers. What you linked to was an industry trade group voting on a bylaw.
Have you ever seen a no-expiry cert? Widely criticized as a mistake. The null-object of TLS.
You cannot issue a publicly trusted TLS certificate with an empty expiry, or an expiry date more than 200 days away (as of March). If you want to talk about private CA, then the certs can follow all sorts of rules.. they don't even have to be about TLS.. they can be for SSH at that point.
People confuse themselves on this subject all the time.
Expiry is optional. Is that a good idea? No.
Expiry exists only to kill a certificate, intentionally, in a timely manner. That forces the consumer to handle their business before certificate compromise, because revocation and compromise each invoke a higher effort to mitigate to the issuer.
Cloudflare origin CA is a private CA, so the CABF doesn't apply.
Yes.. exactly.. you can't issue a 15y TLS (not SSL) cert today.. not in a usable way. If cloudflare stops proxying you, your cert is worth nothing (accepted by no one).
You can create your own without the use of cloudflare.. you can set it to a 100y expiry if you feel like it.
[flagged]
[flagged]