Let's Encrypt is a certificate authority that provides free X.509 certificates
Recently Let's Encrypt, a non-commercial, community-controlled CA that provides certificates at no cost to everyone, announced the implementation in your infrastructure support for ARI (ACME Renewal Information), an extension of the ACME protocol that allows sending information to the client about the need to renew the certificates and recommend the best time for renewal.
The ARI specification is going through a standardization process by the IETF committee (Internet Engineering Task Force), which develops Internet protocols and architecture, and is in the review stage of a preliminary version.
ARI was standardized on the IETF, a process that began with an email from Let's Encrypt engineer Roland Shoemaker in March 2020. In September 2021, Let's Encrypt engineer Aaron Gable submitted the first draft to the IETF IETF ACME work, and now ARI is in production. The next step is for ACME customers to start supporting ARI, a process we plan to help with as best we can in the coming months.
Before the introduction of ARI, the client himself determined the certificate renewal policy, for example, periodically executing the renewal process through Cron, or making decisions based on the analysis of the validity of the certificate.
This approach created difficulties when certificates needed to be revoked prematurely, for example, users needed to be contacted via email and forced to perform a manual renewal.
The Let's Encrypt team is excited to announce that ACME Renewal Information (ARI) is in production! ARI makes it possible for our subscribers to handle certificate revocation and renewal as easily and automatically as the process of obtaining a certificate in the first place.
With ARI, Let's Encrypt can signal ACME clients when to renew certificates. In the normal case of a certificate with a validity of 90 days, ARI could indicate the renewal at 60 days. If Let's Encrypted needs to revoke a certificate for any reason, ARI may indicate that the renewal must be done before the revocation. This means that even in extenuating circumstances, the renewal can be done in a fully automated way without interrupting the subscriber's services.
The extension ARI is remarkable, since it allows the client to define a renewal time recommended certificate revocation, not be tied to the 90-day certificate lifespan, and not worry about missing out on an unscheduled certificate revocation.
As such in the Let's Encrypt blog post, ARI is mentioned as having a couple of additional benefits for Let's Encrypt and users, since as such:
First, we can use ARI to help modulate renewals as needed to avoid load spikes on the Let's Encrypt infrastructure (of course, subscribers can still renew whenever they want or need to, as ARI is merely a signal or suggestion). . Second, ARI can be used to set subscribers up for success in terms of ideal renewal times should Let's Encrypt offer even shorter-lived certificates in the future.
For example, in the case of early revocation via ARI, the update could be activated after 60 days instead of 90. Additionally, ARI allows the user to effectively smooth the peak load on Let's Encrypt's servers. when choosing the moment of the update based on the load of the infrastructure.
Because if the client receives no response or receives an incorrect response (for example, an end timestamp that is equal to or earlier than the start timestamp), the client has the ability to make its own determination of when to renew the certificate, and you can also resubmit the request for renewal information.
Finally if you are interested in knowing more about it, you can check the details in the following link