[regecks]

>these will typically never have a cert so important that it can't be easily revoked

I think this is specifically addressed with the introduction of TLS Delegated Credentials[1]. This allows the CDN edge to use a very short lived credential in the place of the certificate's private key.

It's already supported in evergreen browsers and in certificate profiles from commercial CAs like Digicert.

1. https://tools.ietf.org/html/draft-ietf-tls-subcerts-06

[revertts]

Yup! Some of the names on that draft were people who have previously worked on building these sorts of edge racks, so their experience with this infra helped shape the proposal. It'll be great once it's broadly supported, but that's going to take awhile (or depending on your client mix, an eternity).