[tptacek]

No, arbitrarily frequent credential rotation is not universally good hygiene, and suggesting otherwise is not malpractice. Why not rotate frequently? Because doing so requires a high-availability CA, and reduces the reliability of the whole system, for marginal or no security benefit.

[mmalone]

Counterpoint: if it hurts, do it more. That’s good operational hygiene. If you’re worried about certificate rotation failing, the surest way to make that process resilient is to do a lot of it. If you’re running the smallstep toolchain, you have an HA CA. That’s a sunk cost. That’s why it defaults to frequent rotation.

Furthermore, it’s not arbitrary. Credentials leak and services come and go. Having active keys around that aren’t in use is worse than not having them around. If someone accidentally commits a key to a GitHub repo or something, it’s nice to know that key will only be useful for a little while.

If you still want to rotate less frequently, change the default.

This really has very little to do with the topic at hand, so I’m not sure why we’re debating it. Do you want me to change the default certificate lifetime in step-ca? What do you think it should be?