[darkr]

Revocation for random domains is kind of a moo point as chrome doesn’t do OCSP default, just CRLsets that are pushed out with browser releases, that probably won’t include your domain.

Better instead just to have shorter TTL certs.

[HL33tibCe7]

Yes, and note that Cloudflare supports 30-day certs, and in fact IIRC Cloudflare doesn’t issue 1-year certs at all any more

[5e92cb50239222b]

I checked two domains registered through Cloudflare about a week ago and both have 1-year certificates issued by Sectigo, valid until May 2025. Never enabled DDoS protection or any other features besides editing DNS records.