On 2017-03-08T16:05, Terje Elde <[email protected]> wrote: > > > On 08 Mar 2017, at 14:19, Hanno Böck <[email protected]> wrote: > > > > What you should do is to request a new cert with a reasonable > > timeframe before your old one expires (one could probably argue forever > > what a reasonable timeframe is, but I'd say something between 10 and 30 > > days). > > Renewal is a common problem. Is this something that the guide should spend a > few words on? > > > My experience in my own circles, have mostly been that it’s not too hard to > get consensus that appropriate time is something like: > > How long it will take you to notice that cert is approaching limit. (24 > hours?) > + However long it will take you to replace manually using plan A. (a day?) > + However long it will take you to replace manually using plan B (manually > order from alternative CA for example) (a week?) > + How however long it will take to cycle new cert into production, > accounting for things like DNS TTLs, having Apps put through approval at App > Store, or whatever might be required) (2-14 days, depending?) > + Margins (two weeks?) > > That should land you somewhere between 25 and 37 days, depending, for a > *comfortable* margin to replace. > > Point is just that it’s very easy for those with less experience at running > systems to forget about things like detection time, planning for having to go > to a plan B for a new certs, planning in margins, and so on. Easy to slip up.
There is another factor if one is bold enough to use it: The max-age of HPKP-Pins and administrative change time and TTL of TLSA DNS entries. Especially HPKP max-age must be _added_ to the aforementioned times if there is a chance that one would change the keypair when obtaining a new certificate. Recommendations for max-age are in the order of a month or even more. However, in my opinion, one would have to be mad to use any HPKP max-age longer than maybe a week with letsencrypt. Ciao, Alexander Wuerstlein. _______________________________________________ Ach mailing list [email protected] http://lists.cert.at/cgi-bin/mailman/listinfo/ach
