# Why TLS Cert Lifecycle Audit Exists Probes a hostname for cert lifetime (90 / 100 / 397 day buckets), CT-log inclusion via crt.sh, public-key reuse across renewals (the harvest-now-decrypt-late... Author: J.A. Watte Published: April 23, 2026 Source: https://jwatte.com/blog/blog-tool-cert-lifecycle-audit/ --- **TL;DR.** NIST finalized PQC standards in 2024 (FIPS 203 / 204 / 205). Audit TLS, DNSSEC, and code-signing now so the 2035 CNSA deadline is an incremental migration, not a forklift. The **[TLS Cert Lifecycle Audit](/tools/cert-lifecycle-audit/)** is the audit you reach for when you already suspect a problem in this dimension and need a fast, copy-paste-able fix list. It reuses the same chrome as every other jwatte.com tool — deep-links from the mega analyzers, AI-prompt export, CSV/PDF/HTML download — but the checks it runs are narrow and specific to the dimension described above. > Probes a hostname for TLS cert lifetime (≤90 / ≤100 / ≤397 day buckets), CT log inclusion via crt.sh, public-key reuse across renewals (the often-missed harvest-now-decrypt-later amplifier), issuer + ACME client signal, OCSP / CRL freshness, and SAN bloat. Pairs with the PQC Analyzer. ## What it actually checks Extract of the audit's real findings — the same strings the tool prints when a check trips. Use this as a sanity check before you run the audit live: **Warnings (fix these same-month):** - Live TLS probe unavailable - crt.sh returned no rows **Info-only (context for the fix plan — not a failure):** - Current cert public-key fingerprint (SPKI SHA-256) - Historical certs in CT logs - Multiple CA issuers in history - Most recent CT entry ## Why this dimension matters NIST finalized post-quantum cryptography standards in 2024 (FIPS 203 = ML-KEM, FIPS 204 = ML-DSA, FIPS 205 = SLH-DSA). CNSA 2.0 mandates PQC for US national-security systems by 2035, and major CAs are already issuing hybrid classical+PQ certificates. Sites that audit their current TLS / DNSSEC / code-signing posture today can migrate incrementally; sites that wait face a forklift migration. ## Common failure patterns - **TLS cert issued for > 398 days** — browsers enforce a 398-day maximum (since 2020). Audits still find long-dated certs on legacy systems that will simply stop being trusted on renewal. - **RSA-2048 signatures when the CA supports ECDSA-P-256** — ECDSA is faster, smaller, and equally secure today. For PQC readiness, the migration path is easier from ECDSA than from RSA. - **DNSSEC with RSASHA1 (algorithm 5)** — deprecated since 2020. Rekey to RSASHA256 (8) or ECDSAP256SHA256 (13) at minimum. - **Code-signing with SHA-1 or MD5** — trust stores have been rejecting these since 2017. Legacy MSI installers and Linux package signatures are the most common offenders. ## How to fix it at the source Run a TLS / DNSSEC / code-signing inventory today. For TLS: use short-lived certs (Let's Encrypt 90-day renewal is optimal) + automate renewal via ACME. For DNSSEC: rekey to ECDSAP256SHA256. For PQC readiness: watch for OpenSSL 3.x + BoringSSL PQC support; migrate to hybrid ML-KEM+X25519 as soon as your CDN supports it (Cloudflare shipped Kyber in 2023, AWS announced PQ TLS in 2024). ## Thresholds that matter | Signal | Target | |---|---| | TLS cert lifetime | ≤ 398 days (browser-enforced). Optimal: 90 days via Let's Encrypt + ACME automation. | | DNSSEC algorithm | ECDSAP256SHA256 (13) or Ed25519 (15). RSASHA1 (5) is deprecated. | | Code-signing hash | SHA-256 or SHA-384. SHA-1 and MD5 are rejected by every major trust store. | | TLS minimum version | 1.2 minimum, 1.3 preferred. Disable 1.0 and 1.1. | ## When to run the audit - After a major site change — redesign, CMS migration, DNS change, hosting platform swap. - Quarterly as part of routine technical hygiene; the checks are cheap to run repeatedly. - Before an investor / client review, a PCI scan, a SOC 2 audit, or an accessibility-compliance review. - When a downstream metric drops (rankings, conversion, AI citations) and you need to rule out this dimension as the cause. ## Reading the output Every finding is severity-classified. The playbook is the same across tools: - **Critical / red** — same-week fixes. These block the primary signal and cascade into downstream dimensions. - **Warning / amber** — same-month fixes. Drag the score, usually don't block. - **Info / blue** — context only. Often what a PR reviewer would flag but that doesn't block merge. - **Pass / green** — confirmation. Keep the control in place. Every audit also emits an "AI fix prompt" — paste into ChatGPT / Claude / Gemini for exact copy-paste code patches tied to your specific stack. ## Related tools in this family - **[Mega Security Analyzer](/tools/mega-security-analyzer/)** — run this first — crypto is one of 7 layers it scores. - **[DNSSEC PQC Posture Audit](/tools/dnssec-pqc-posture-audit/)** — inventories DNSSEC algorithms per zone + flags deprecated ones. - **[PQC Migration Plan Generator](/tools/pqc-migration-plan-generator/)** — emits a per-asset migration roadmap from classical to post-quantum. - **[Code Signing Trust Audit](/tools/code-signing-trust-audit/)** — audits installer + package signatures across common trust stores. ## Fact-check notes and sources - NIST: [FIPS 203 (ML-KEM)](https://csrc.nist.gov/pubs/fips/203/final), [FIPS 204 (ML-DSA)](https://csrc.nist.gov/pubs/fips/204/final), [FIPS 205 (SLH-DSA)](https://csrc.nist.gov/pubs/fips/205/final) - CNSA 2.0: [NSA commercial suite announcement](https://www.nsa.gov/Press-Room/News-Highlights/Article/Article/3148990/) - Cloudflare: [Post-quantum for TLS in production (2023)](https://blog.cloudflare.com/post-quantum-for-all/) - Let's Encrypt: [Certificate lifetime and compatibility](https://letsencrypt.org/docs/certificate-compatibility/) *This post is informational and not a substitute for professional consulting. Mentions of third-party platforms in the tool itself are nominative fair use. No affiliation is implied.* --- Canonical HTML: https://jwatte.com/blog/blog-tool-cert-lifecycle-audit/ RSS: https://jwatte.com/feed.xml JSON Feed: https://jwatte.com/feed.json Hero image: https://jwatte.com/images/blog-tool-cert-lifecycle-audit.webp