DEENFRELIDESCA
my.iacboxiacbox.cloudMy WiFi solution

TLS Certificates – Validity Periods to Be Reduced

Current developments in TLS (x509) certificates will finally retire well-known manual procedures in the coming years. Read here for an outlook on how these changes will affect the IACBOX.

What happened?

After a failed attempt by Google in previous years, Apple succeeded in 2024 with a similar proposal to shorten the validity of certificates. In April 2025, the proposal was adopted by the Browser/CA Forum. This forum includes major browser manufacturers and CAs (Certificate Authorities) who drive and coordinate changes like these. The proposal was preceded by lengthy discussions, as not everyone is happy with this development.
The lifespan of certificates has been shortened several times over the past 20 years. From 10 years, the duration was gradually and significantly reduced to 1 year (2020).
The upcoming steps will reduce the validity of TLS certificates from the current maximum of 398 days to 47 days. This will force both users and CAs (Certificate Authorities) to automate, as manually replacing certificates will no longer be practical.

New validity periods

Here is an overview of the new validity periods. Noteworthy is the 2-year phase with a 100-day validity.
From Certificate validity period Domain validation validity period Calculation/Notes
March 2025 398 days (unchanged) 398 days (previously 825) Only the validity period of domain validation has been shortened.
March 2026 200 days 200 days 200 days (approx. 6.5 months, incl. tolerance)
March 2027 100 days 100 days 100 days (approx. 3.3 months, incl. tolerance)
March 2029 47 days 10 days 31 days (approx. 1.5 months, incl. tolerance)

Motivation

The shorter validity period is primarily intended to improve security. A major problem with security is the revocation/invalidation of certificates.
There are two methods to revoke certificates:
  1. OCSP (Online Certificate Status Protocol)
  2. CRL (Certificate Revocation List)
Both methods have their issues, and online checks add latency that should be avoided during connection setup. Optimizations in other protocols like TLS 1.3 and QUIC aim to reduce the number of requests during connection setup to improve speed. Another problem often observed by security researchers is that certificates are not revoked after breaches. The Heartbleed attack clearly demonstrated this.
Reducing the validity period thus decreases the time during which a compromised certificate (or its key) is valid and can be misused.

IACBOX

On the IACBOX, there are three possible cases for which Surf-LAN domains plus TLS certificates can be configured, so the necessary changes vary depending on the case:
  1. IACBOX Standard Domain: (hotspot.internet-for-guests.com)
  2. Standard Domain of White-Label Partners: The associated certificate is automatically installed when registering with the partner theme and has so far been updated annually.
  3. Custom Domain: Any custom domain registered by the administrator, who also procures and installs the TLS certificate themselves.

Update

Let’s now look at how these three cases will be handled in the future:

  1. IACBOX Standard Domain: Here, the update method remains unchanged – the certificate for the standard domain (soon to include multiple domains – see below) will continue to be updated automatically via the online update.
  2. Standard Domain of White-Label Partners: To ensure a smooth process, we offer White-Label partners the option to have short-lived certificates automatically updated and distributed via our update servers. To enable this, a partner only needs to create a special `CNAME` DNS entry, allowing us to update the certificate for these domains.
  3. Custom Domain:
    • 3.1 If the certificate is to be updated on the IACBOX itself, this is only possible via the ACME DNS challenge. The IACBOX will receive an ACME client during version 24 to enable this.
    • 3.2 If the certificate is renewed externally, for example, because it is a wildcard certificate used on other systems, a certificate can also be installed via the Batch API in the future. This allows certificates to be copied and installed on the IACBOX using simple scripts after their renewal.

How does automatic certificate renewal work?

The Let’s Encrypt initiative was a pioneer in automated certificate renewal. It made regular, domain-validated certificates freely available to everyone. These certificates are currently valid for 90 days. The ACME protocol was invented for the automated issuance and renewal of certificates. ACME stands for Automatic Certificate Management Environment and is a protocol that enables certificates to be automatically created, managed, and updated. Other CAs also offer proprietary automation methods, but ACME is an open standard supported by various CAs.

To validate a domain, you must prove that you own the domain and control the server or domain. Originally, ACME only supported the so-called HTTP challenge (= proof). This challenge works by placing a special file on the server, which the CA server then queries. If the file exists and has the correct content, the certificate is issued.

For servers like the IACBOX, which are often behind a firewall on the network without a public IP address, this does not work or at least not without port forwarding. Therefore, the DNS challenge was introduced later. This challenge works by creating a special DNS entry, which the CA server then retrieves. If the entry exists and the value matches, the certificate is issued.

However, the DNS provider used must provide an API through which DNS entries can be created and deleted.

Additional new standard domains

At this point, we are pleased to announce another innovation – there will soon be two new standard domains available for free on every IACBOX. These new domains are shorter, which is especially helpful for login links in emails and SMS. Furthermore, the IACBOX is also used in many locations where WLAN users cannot be referred to as “guests” (e.g., in hospitals). These new domains offer a more general name and, through a wildcard certificate, also allow you to define the subdomain yourself.

  • *.iacbox.surf
  • *.login.surf

The previous standard domain hotspot.internet-for-guests.com will remain available for the time being. However, the certificate for this domain will also be switched to a short-lived certificate in 2026.

Outlook

There is still enough time to adapt to short-lived certificates. Administrators managing a large number of services are already starting to plan. The IACBOX will certainly be ready in time, with various methods for certificate renewal. We will keep you informed as soon as there is news on this.

Stay secure and up-to-date with IACBOX Software Maintenance.

Are you an entrepreneur looking for a solution to these requirements? Or are you a service provider and advise companies on wireless or wired network solutions?

Let's start a project together

Privacy settings

We use cookies to provide social media features and to analyze traffic to our website. More information

Accept all
Save & close