> On 08 Mar 2017, at 14:19, Hanno Böck <[email protected]> wrote: > > What you should do is to request a new cert with a reasonable > timeframe before your old one expires (one could probably argue forever > what a reasonable timeframe is, but I'd say something between 10 and 30 > days).
Renewal is a common problem. Is this something that the guide should spend a few words on? My experience in my own circles, have mostly been that it’s not too hard to get consensus that appropriate time is something like: How long it will take you to notice that cert is approaching limit. (24 hours?) + However long it will take you to replace manually using plan A. (a day?) + However long it will take you to replace manually using plan B (manually order from alternative CA for example) (a week?) + How however long it will take to cycle new cert into production, accounting for things like DNS TTLs, having Apps put through approval at App Store, or whatever might be required) (2-14 days, depending?) + Margins (two weeks?) That should land you somewhere between 25 and 37 days, depending, for a *comfortable* margin to replace. Point is just that it’s very easy for those with less experience at running systems to forget about things like detection time, planning for having to go to a plan B for a new certs, planning in margins, and so on. Easy to slip up. Terje _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
