What
Following up from this year's renewal, we should migrate to fully automatic certificates (ACME, e.g. Let's Encrypt and such).
Why
#85:
[…] This year is going to be different because the CAB Forum approved a decision past year to gradually reduce the maximum lifetime of all TLS certificates to 47 days by 2029.
[…] Sectigo, has already recently lowered the maximum from 356 to 200 days and it'll reduce to 100 days next year. (see Sectigo April 2025 press release).
So we could certainly renew this the usual way one more time, with 200 days, but by next year we should really be on automation […]
When
The current cert expires on 4 Dec 2026, so let's aim to get this live by 30 Nov 2026.
How
- Experiment with Fastly-managed TLS using Certainly.
- Experiment with Fastly-managed TLS using GlobalSign.
- Determine how far back their roots are trusted by old devices, and how this compares to Sectigo.
- Decide on a reliable testing setup (i.e. Fastly cluster configuration and domain).
- Observe renewal cycle: How long before expiry does it renew?
- Observe renewal cycle: How long after minting/issuing new certs are they activated?
- Pilot: Gradually roll out on jQuery domains served via Fastly (except code.jquery.com)
- Converge on the best setup and switch all piloted services to the preferred setup.
- Switch code.jquery.com by end of November 2026.
/cc @ryanaslett @timmywil
What
Following up from this year's renewal, we should migrate to fully automatic certificates (ACME, e.g. Let's Encrypt and such).
Why
#85:
When
The current cert expires on 4 Dec 2026, so let's aim to get this live by 30 Nov 2026.
How
/cc @ryanaslett @timmywil