Re: Why not...
Man, people here are getting cynical...which is somewhat understandable, but in this case...probably not justified. Yes, TLS is the boogeyman for a lot of sysadmins, yes you can cause a lot of damage if you don't know what you're doing and yes it can be expensive depending on your requirements...but I don't think this is a cash grab.
I think a large proportion of TLS certs out there are free these days...this is just an admin headache if you manage your own certs...if you use CDNs like Cloudflare, Akamai et al, this won't make a difference at all.
I think getting rid of the old 5+ year certs is actually good thing...because it means systems won't be left to rot for as long with older versions of TLS and we'll see swifter action on upgrading / switching ciphers etc. The problem with long term certs is you end up with systems running outdated ciphers or an older version of TLS for longer than it should...getting away from TLS 1.1 was a massive pain in the ass and to a certain extent it is still in wide use...particularly on smart devices like TVs etc...isn't that right...AMAZON?! With your shitty old fork of Android.
It's not uncommon to find a cert renewal job that quickly turns into a full migration because you can no longer get supported certs for an old platform, which is one of the reasons I quite like doing certificate updates...it's a hidden gold mine that can lead to a lot of additional and crucially, chargeable work.
I do a lot of freelance stuff involving TLS/SSL (because for some reason, it's work that nobody wants to touch because I think it's still, even now when it's never been easier, seen as something of a dark art). Bosses freak out about it because a lot of them will have a memory of a certificate deployment / upgrade that went horribly wrong at some point and have flashbacks to errors that were confusing and difficult to decipher (natch)..."UNSUPPORTED CIPHER", "UNSUPPORTED BIT LENGTH", "CA ROOT CERTIFICATE INVALID", "KEY/CERT MISMATCH", "CANONICAL NAME / OU DOES NOT MATCH" etc etc etc...all really dumb problems and easy to fix, but with scary and jargon filled errors.
It's crazy how much you can charge to roll out / update TLS for folks. It's not as much money as it used to be, pre-pandemic you could charge easily £300-£400 just to properly configure TLS and roll out a cert on Apache / NGINX...mostly because you have that wicked scary combo for your typical sysadmin, it's Linux, Apache/NGINX and TLS all rolled into one spooky scary package and it's usually on a production setup with perceived risk of downtime, it's a lot of potential damage in a very short space of time if you fuck it up (which is actually quite difficult to do these days)...this is why hardly anyone takes those jobs, I very rarely have competition for them, sometimes I'll see the same names popping up dropping quotes on various sites, like a half dozen folks, one in particular (whom I've never met, I seem to follow around like a shadow, mopping up his messes)...you can still easily get between £100-£200. To be clear, for that money, I'd usually automate the process so the customer never has to think about it again or implement some kind of CDN in front of their web service with a 10-15 year origin certificate so they never have to worry about certs expiring...so it's not like I'm charging a hefty fee once a year.
I think professionally the industry has been somewhat turning a corner as well, because I know of quite a few folks that have been fired for actively avoiding Linux / NGINX / Apache stuff particularly involving certs...because I've been the one to step in and take over their role on a contract basis either as part of a wider team for larger companies or simply taking over the entire tech / architecture role at a smaller company...because paying someone like me £400 a month for essentially the same service without the hassle of having someone hanging around the office 5 days a week with a scheduled weekly/fortnightly site visit is preferable. That said, those that work on their Linux skills rarely get fired and replaced in this way...because they are difficult to replace...you can find cheaper contractors of course, but the skillset is still relatively uncommon...and there is still risk with contractors, because not all of them are on the ball all the time...I've never been ejected from a contract, it's usually my choice to leave either because I've gone an extended period without being able to raise my rates or I can see the company is running out of cash and I'll soon be in a position where I'm supporting a dying infrastructure that I can't do anything about without some investment in kit etc and I don't want to be there when it dies...but there are a lot of contractors that regularly get ejected for being crap, lazy, difficult to contact particularly out of hours, vanishing on holiday without notifying anyone, being a literal one man band with no backup cover / partner contractor, having no insurance etc...there are plenty of ways to fuck it up.