> > and have to keep changing the cert every year. > > Your certificate cycling process should be automated, and it should > happen more frequently than once a year.
Complete nonsense firstly and not a major point but you may have greater security than automating key changes and secondly the only reason you may want to is if you believe your key is not strong enough, in which case use a stronger key. It has *little* to do with time really but more to do with the amount of traffic the key has been used for and whether PFS has solely been used. On a low traffic site it already annoys me that I have to change it once per year with startSSL. -- KISSIS - Keep It Simple So It's Securable
