On 2015-12-12, Kevin Chadwick <m8il1i...@gmail.com> wrote: >> > and have to keep changing the cert every year. >> >> Your certificate cycling process should be automated, and it should >> happen more frequently than once a year. > > Complete nonsense > > firstly and not a major point but you may have greater security than > automating key changes and secondly the only reason you may want to is > if you believe your key is not strong enough, in which case use a > stronger key. It has *little* to do with time really but more to do with > the amount of traffic the key has been used for and whether PFS has > solely been used.
It's not so much about replacing keys which aren't strong enough (and actually you can just replace the old key+cert in that case), it's about dealing with compromised keys. Certificate revocation is a disaster area. CRLs are often not checked at all (letsencrypt aren't even generating CRL entries for end-user certs - startssl will do but they charge for them, even for free certs). OCSP is probably checked more often in browsers than CRLs but fails open in some cases (and has terrible UI in others) and again isn't used universally - keeping certificate lifetimes short is a useful way to limit the damage that can be done by a compromised key. (and if letsencrypt *were* to start doing CRLs for revoked end-user certs, keeping lifetimes short would also limit the file size of the CRL).
