DEV Community

James Miller
James Miller

Posted on

Free SSL Certificates Are Now 90 Days — Can Your Ops Workflow Keep Up?

#programming #webdev #security #ssl

Over the last few years, the TLS/SSL ecosystem has quietly shifted. Major browsers, cloud providers, and CAs have been pushing certificate lifetimes shorter and shorter. What used to be a one‑year free certificate is rapidly becoming a 90‑day (or even shorter) reality.

On paper, shorter lifetimes improve security by shrinking the window for key compromise. In practice, for teams that don’t have world‑class automation, this change can explode operational complexity and risk.

This post looks at what 90‑day free certs really mean for your ops, why many teams are reconsidering paid options, and how tools like ServBay’s SSL certificate features can give you the “set it and forget it” experience without breaking the budget.

1. 90‑Day Certs = Higher Management Overhead

If you only manage a single personal blog, renewing every 90 days might be “fine.” But once you deal with multiple domains, environments, and services, the math changes.

  • More frequent renewals → more monitoring, more scripts, more moving parts.
  • Each renewal becomes another potential failure point: DNS, ACME client, cron jobs, CI pipeline, reverse proxies…

For teams with dozens or hundreds of certificates, going from 1‑year to 90‑day validity doesn’t just “triple the clicks.” It multiplies the number of renewal events you must get right every single time.

2. Change Frequency = Risk Frequency

In ops, every change is a chance to break production.

Moving to 90‑day certs effectively multiplies the number of certificate‑related changes per year:

  • Misconfigured ACME/renewal scripts.
  • Failed deployments that never copied the new cert.
  • Load balancers or edge proxies pointing to old files.
  • Staging works, production silently fails.

And if monitoring misses just one cert?

  • Browsers start throwing scary red warnings.
  • Users hesitate to proceed, or bounce entirely.
  • Trust in your brand takes a very public hit.

The security gains from shorter validity are real—but so are the operational risks if your automation isn’t bulletproof.

3. The Long Tail: SMEs and Solo Developers

Big tech companies with mature DevOps can absorb this: they already have robust ACME pipelines, centralized cert inventory, and SREs on rotation.

Small and mid‑sized teams, freelancers, and indie hackers often don’t:

  • No dedicated security engineer just for certificates.
  • Patchwork infrastructure (shared hosting here, a VPS there, some managed Kubernetes in between).
  • Legacy services that can’t easily plug into modern ACME flows.

For them, the choice becomes:

  • Sink time into building and maintaining a DIY renewal pipeline (with all the edge cases).
  • Or accept the real risk of downtime and ugly browser warnings.

Neither option feels great.

4. Paid Certificates: Historically Safe, Financially Painful

The “classic” answer is: “Just buy a 1‑year cert from a commercial CA.”

That does solve some problems:

  • Fewer renewals (1× per year instead of 4× or more).
  • Often better support and tooling.
  • Easier to schedule maintenance windows.

But traditional pricing is painful, especially at scale:

  • Single‑domain DV certs often cost the equivalent of $30–$100/year.
  • Wildcard certs can easily exceed $150–$300/year.
  • Agencies and teams managing many domains can burn through thousands annually.

For side projects, small SaaS products, and internal tools, that price tag is hard to justify.

5. A Different Approach: Cheap 1‑Year Certs + Integrated Management

This is where a more developer‑centric approach makes sense: bring down the cost of 1‑year DV certs, and pair them with tools that actually help you manage them.

ServBay’s new SSL store is one example of this model:

  • DV Single (1 domain): $2.99/year Lock in a full year of HTTPS for less than the cost of a snack.
  • DV Wildcard: $39/year One certificate covers example.com, api.example.com, admin.example.com, staging.example.com, etc.

Instead of paying a premium for the “privilege” of longer certs, you get:

  • The reduced operational risk of 1‑year validity.
  • Prices that are realistic even for side projects and small teams.
  • Integration with a dev‑oriented platform that already understands web stacks.

6. Launch Perk: Free 1‑Year DV Certs for Early Users

To kick off the store, ServBay has pre‑purchased a batch of 1‑year DV certificates and is giving away 1,000 of them for free:

  • Limit: 1 certificate per ServBay user.
  • First‑come, first‑served.
  • Ideal if you want to:
    • Migrate at least one production/staging site away from 90‑day renewal stress.
    • Try the workflow without committing budget.

For anyone who’s ever lost a day to debugging “suddenly invalid” HTTPS, that’s not just a nice freebie—it’s a very low‑friction way to de‑risk at least one critical endpoint.

7. When Does This Make Sense?

Using 1‑year DV certs from a developer‑friendly store is especially attractive if:

  • You maintain multiple domains or subdomains and don’t have a fully automated PKI.
  • You’ve been burned by failed Let’s Encrypt auto‑renewals before.
  • You want a predictable, low‑maintenance setup for client sites.
  • You’re building internal tools, admin panels, or APIs where downtime is costly.

You can still use free 90‑day certs where they make sense (temporary environments, experiments, etc.), and reserve the 1‑year certs for:

  • Production.
  • High‑traffic marketing sites.
  • Critical customer‑facing services.

8. Ops Reality Check

The industry’s move toward shorter certificate lifetimes isn’t going to reverse. Long term, everyone will need robust automation and visibility over their TLS inventory.

But we’re not all there yet.

If your current stack or team size means that 90‑day certs feel like a ticking time bomb, it’s perfectly reasonable to:

  • Buy yourself stability with long‑lived DV certs.
  • Keep costs sane with more developer‑friendly pricing.
  • Gradually improve your automation without betting your uptime on it.

If that sounds like you, it’s worth taking a serious look at how tools like ServBay handle SSL certificate issuance, renewal, and local CA management—they’re designed precisely to reduce the “cert babysitting” burden that 90‑day lifetimes make worse.

Shorter lifetimes make sense for security—but they push more complexity onto ops. Until your automation is mature enough to handle a flood of renewals safely, mixing in affordable 1‑year DV and wildcard certs is one of the simplest ways to keep your HTTPS story both safe and sane.

Top comments (0)