Using openssl as a CA, I'm wondering what the best way is to renew a
certificate without first revoking the previous one. Revoking the previous
one would leave a window of vulnerability where a machine may be trying to
use the old certificate, as it hasn't yet downloaded the new one, but other
The best way is to have the unique_subject = no, and then allow for
the download and installation of the new cert. Once that's done,
revoke the old one.
As for why it's not the default, it's because there are other
applications besides just web server certification that require
additional
