Abstract
Two new features this week, both pushing in the same direction: make certificate lifetimes someone else’s problem.
ACME ARI
ACME Renewal Information (ARI) is a protocol extension that lets a CA tell your client when to renew a specific certificate. Instead of renewing on a fixed schedule, the client checks the CA’s recommended renewal window and renews during that window.
We now call the ARI endpoint multiple times per day for every certificate we manage.
The obvious benefit is timing. We renew exactly when the CA wants us to, which bypasses rate limiting that applies to renewals outside the suggested window. If you’ve ever hit rate limits during a bulk renewal event, ARI is the fix.
The less obvious benefit matters more. Certificate revocation is famously broken, but CAs do have one lever they can pull: ARI. When the CA needs to revoke a batch of certificates (a CA bug, a misissuance event, anything requiring emergency replacement), they can set an early renewal window in ARI. Any client checking ARI will pick it up and renew immediately.
For example, the DigiCert incident last year where 83,000 certificates needed emergency replacement in 24 hours. Customers who weren’t checking anything scrambled. With ARI, that scenario becomes automatic. The CA flags the certificate, CertKit sees it on the next poll, and a new certificate is issued and deployed before you’ve even read the incident report.
You don’t configure anything for this. It’s on for every certificate in your account.
6-day certificates
Let’s Encrypt now offers 6-day certificates for environments where shorter is better.
Most of the conversation around shorter certificate lifetimes has been about the industry forcing everyone toward 47 days by 2029. That’s a mandate. This is the other direction: opting into certificates that expire even faster, for cases where that’s actually what you want.
The use cases are narrower but real. Ephemeral infrastructure where you want certificates to expire with the environment. Security-sensitive deployments where a smaller window of exposure from a compromised key is worth the operational cost. Internal tooling where you already control the client and don’t need the runway.
6-day certificates work the same as any other certificate in CertKit. The agent pulls the new certificate and deploys it on whatever schedule you’ve configured. The only difference is the math: renewal happens every few days instead of every few months.
If you don’t have a specific reason to want 6-day certificates, stay on the standard 90-day cycle. But if you do, you can select it per-certificate in your CertKit dashboard.
CertKit automates certificate lifecycle management.
Comments