Linux: Tips n Tricks: 2026

Tuesday, April 14, 2026

Certificate Changes in 2026: My Full Linux Admin Blog Series

A complete series covering TLS basics, DigiCert trust changes, certificate lifetime reductions, and automation for Linux users.

Introduction

Over the past few posts, I have covered the basics of TLS certificates, the DigiCert trust-chain changes affecting older hierarchies, the real certificate validity timeline, and practical automation steps for Linux admins.

Full series

This is a good time for admins to review their live certificate chains, move away from affected old trust paths, and make renewal automation part of normal operations.

My 2026 Certificate Checklist for Linux Admins and Website Owners

Part 6 of 6

A practical 2026 checklist for TLS certificate trust changes, DigiCert chain updates, automation, and monitoring.

Introduction

If you do not want all the background detail and only want the practical action plan, this is the post to save.

2026 is important for two reasons: some older DigiCert trust paths are losing browser trust, and certificate lifetimes are on a path toward becoming much shorter.

The checklist

Start by listing every public HTTPS service you manage. That includes websites, blogs, reverse proxies, APIs, dashboards, VPN portals, and mail-related TLS endpoints.

Next, inspect the live certificate chain for each service. Do not assume that a non-expired certificate means everything is fine.

Then check whether any system still depends on older DigiCert G1-rooted issuance before the April 15, 2026 distrust deadline. Also review whether any affected intermediate or cross-signed certificate components need action before the published May 15, 2026 revocation event.

After that, look for custom trust logic in your environment:

pinned roots
pinned intermediates
bundled CA stores
Java keystores
container images
mobile apps
internal software that assumes a specific trust chain

Then move to renewal automation. If you still renew manually, start testing ACME-based renewal now.

Finally, add monitoring. At a minimum, monitor for:

upcoming expiry
failed renewals
unexpected chain changes
missing intermediates
service reload failures after renewal

Closing thoughts

Certificates used to be something many admins could ignore until close to expiry. That is no longer a good strategy.

The safer approach now is clear: understand the chain, update old trust paths, automate renewal, and monitor the process properly.

Series complete.

How to Automate TLS Certificate Renewals on Linux Before Short Lifetimes Become a Problem

Part 5 of 6

Shorter TLS certificate lifetimes mean manual renewal is no longer enough. Here is how Linux admins can automate renewals safely.

Introduction

Once certificate lifetimes start shrinking, the obvious question becomes: how do we keep up without turning certificate renewals into a monthly headache?

The answer is automation.

Use ACME-based renewal

Most modern certificate automation is built around ACME, the protocol used by tools such as Certbot, acme.sh, and lego.

For many Linux users, Certbot is the easiest starting point. A simple test command is:

sudo certbot renew --dry-run

This is useful because it checks whether your renewal process works before expiry becomes urgent.

Use systemd for automation

# /etc/systemd/system/tls-renew.service
[Unit]
Description=Renew TLS certificates

[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --quiet
ExecStartPost=/bin/systemctl reload nginx.service

# /etc/systemd/system/tls-renew.timer
[Unit]
Description=Run TLS renewal twice daily

[Timer]
OnCalendar=*-*-* 03,15:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

This pattern is useful because renewal becomes automatic, Nginx reloads after successful renewal, the timer spreads load with a random delay, and the system keeps working after reboots because the timer is persistent.

Choose the right validation method

HTTP-01 is often easiest for standard websites.

DNS-01 is usually needed for wildcard certificates and more complex environments.

The important mindset change is this: do not treat certificate renewal like a note on your calendar. Treat it like a routine automated operating task.

Closing thoughts

The admins who automate early will handle future certificate lifetime reductions much more easily than the ones still renewing by hand.

Are TLS Certificate Lifetimes Really Dropping to One Month? Here Is the Real Timeline

Part 4 of 6

People keep saying certificate validity is dropping from one year to one month. Here is the real public TLS timeline and what it means.

Introduction

I keep hearing the same claim: certificate validity is going from one year to one month. That is not the full story.

The real change is more gradual, but it is still a big operational shift.

The actual timeline

Before March 15, 2026: maximum validity is 398 days
From March 15, 2026: maximum validity becomes 200 days
From March 15, 2027: maximum validity becomes 100 days
From March 15, 2029: maximum validity becomes 47 days

So no, the industry is not jumping straight from one year to one month tomorrow.

Why shorter lifetimes are happening

The long-term direction is very clear: certificates will live for much shorter periods than many admins are used to.

Why is this happening? Because shorter lifetimes reduce risk. If a certificate is misissued, or a private key is compromised, or validation data becomes stale, a shorter lifetime reduces how long that problem can remain active.

What this means for Linux admins

For Linux admins and small website owners, the practical message is easy to understand:

Manual renewal might still work today. But it will become less practical every year.

Closing thoughts

The “one month” wording is not correct as an immediate change, but the bigger message is true: the future of public TLS is shorter-lived certificates and more frequent renewal.

How to Check If Your Linux Server Uses an Affected DigiCert Certificate Chain

Part 3 of 6

A practical Linux guide to inspecting TLS certificate chains with OpenSSL before DigiCert trust changes cause browser errors.

Introduction

Once you know that browser trust changes are coming, the next question is obvious: how do you check whether your own server is affected?

The good news is that Linux gives you simple tools for this. One of the easiest ways is to inspect the live TLS chain with OpenSSL.

Basic OpenSSL check

openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null

This shows the certificate chain presented by the remote server.

Save and inspect each certificate

openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null \
  | awk '/BEGIN CERTIFICATE/{i++} {print > ("cert-" i ".pem")}'

for f in cert-*.pem; do
  echo "==== $f ===="
  openssl x509 -in "$f" -noout -subject -issuer -dates
done

This helps you review each certificate in the chain and see who issued it, who it belongs to, when it starts and ends, and whether the issuer looks like an old or current DigiCert hierarchy.

Also check your web server configuration

For Nginx, the certificate file usually needs to contain the leaf certificate followed by the required intermediate certificates in the correct order.

You should also ask yourself a few questions:

Do we pin roots or intermediates anywhere?
Do we use Java keystores or custom trust stores?
Do we have containers, appliances, or internal services that assume a certain chain?

If you find that your server is still presenting an older path, the usual fix is to reissue or renew the certificate onto a supported hierarchy and then test the new chain before rolling it out.

Closing thoughts

A live certificate check takes only a few minutes, but it can save you from a very confusing browser outage later.

Why Mozilla and Chrome Are Distrusting Some Older DigiCert Certificate Chains

Part 2 of 6

Older DigiCert certificate chains are losing browser trust in 2026. Here is what is changing, who is affected, and why it matters.

Introduction

You may have heard people saying that Mozilla is no longer trusting old DigiCert certificates. That statement is directionally true, but it needs more detail.

The issue is not that DigiCert as a whole is being distrusted. The real issue is that some older DigiCert G1 root hierarchies are reaching the point where browsers will no longer trust affected TLS chains.

What is changing?

According to DigiCert, Chrome and Mozilla Firefox will stop trusting active TLS end-entity certificates chaining to certain older DigiCert G1 roots on April 15, 2026.

The affected older roots include:

DigiCert Assured ID Root CA
DigiCert Global Root CA
DigiCert High Assurance EV Root CA

This matters because a certificate can still look perfectly fine from an expiry-date point of view and still fail in modern browsers if the trust chain behind it is no longer accepted.

Who is most likely to be affected?

DigiCert moved default public TLS issuance to newer hierarchies in March 2023, so many customers may already be fine. The environments most likely to need attention are the ones that still use older issuance paths, pin specific intermediates or roots, maintain private or custom trust stores, or hard-code trust assumptions into software, appliances, or containers.

There is also another important date. DigiCert has published revocation plans for several G2 and G3 intermediates, plus two G5 cross-signed roots, for May 15, 2026. If a system still depends on one of those components, certificate validation can fail even if the leaf certificate itself is still within date.

What this really means

Do not only check whether your certificate is expired. Check whether the full chain behind it is still trusted.

TLS Certificates Explained Simply: A Beginner-Friendly Guide for Linux Users

Part 1 of 6

A simple guide to TLS certificates, certificate chains, root CAs, and intermediates for Linux users, website owners, and beginners.

Introduction

If you run a blog, website, reverse proxy, API, mail server, or admin panel, you are already depending on TLS certificates. Many people use them every day without fully understanding how they work. That is normal. But with browser trust changes and shorter certificate lifetimes becoming more important, this is a good time to learn the basics.

When a visitor opens your site over HTTPS, their browser checks a few things. It checks whether the certificate matches the domain name, whether the certificate is still valid by date, and whether it chains back to a trusted root CA.

What is a certificate chain?

A simple way to think about it is this:

The leaf certificate is the certificate installed on your website or server.
The intermediate certificate is the certificate that issued your server certificate.
The root certificate is the trust anchor already stored in the browser or operating system.

The root certificate is usually not something you install on your web server. The browser or operating system already has it in its trust store. What your server usually needs is the correct server certificate and the correct intermediate certificate.

Why certificate problems happen

Certificate errors are not always caused by expiry. A site can break because the intermediate certificate is missing, the chain is incomplete, the browser no longer trusts the root behind the chain, or the wrong certificate files were installed on the server.

For Linux users, the important lesson is simple: a TLS certificate is not just one file. It is part of a trust chain, and that full chain matters.

Closing thoughts

If you have ever wondered why one browser says a site is secure while another complains, the answer is often somewhere in the certificate chain.