[viraptor]

Or you get N certificates from different sources, pin them all, use 1, stick the rest in (a) safe vault(s). Even if something really bad happens, you can use one of the other ones until you cycle. Cost of N certificates will be << money you'd lose otherwise, and likely a rounding error in any company's monthly spending. (if it's already live / trading)

[pfg]

HPKP is based on the public key, so you don't necessarily need to obtain signed certificates in advance - generating a key pair and keeping the private key safe would suffice.

There is some value in ensuring that a CA is willing to sign a certificate using those keys in case something went wrong during the key generation (i.e. a key size or curve that's not supported by the Web PKI), so it might be considered a best practice to do that regardless.

[viraptor]

It's possible. But if you're in a disaster recovery situation, do you want to add the step of granting the certificate as well? Do people on call have access to the company credit card to get one?

It's easier to just get a full cert ahead of time.

[Scott_Helme_]

The only safe way to try and do that would be to make sure that the max-age of your policy was never more than the remaining validity of your longest valid certificate.