[alyandon]

Based on what I've seen internally at several $LARGE_CORPs, a 90 day expiration was more than painful enough to cause teams to invest in automation for rotation. I don't know that cutting 90 days to 45 days would help move the needle further.

[likeabatterycar]

> I don't know that cutting 90 days to 45 days would help move the needle further.

What does this protect you from? If a private key is stolen from a device? If it went unnoticed for 45 days, the device is probably still compromised, and the threat actor will just steal the new key. If you can automate issuing certificates, you can automate stealing them too.

Sounds like a great way to garner more business for Big PKI.

[alyandon]

It mainly helps with stuff like enforcing modern tls + ciphers and various other changes that occur naturally in the ecosystem over time.

You are not wrong about the malware part though. Said undetected malware would continue to be undetected and continue to expose the private bits no matter how (in)frequently you rotate.

[gruez]

>It mainly helps with stuff like enforcing modern tls + ciphers and various other changes that occur naturally in the ecosystem over time.

???

why would you need to issue new certificates for "enforcing modern tls + ciphers and various other changes"? There's nothing preventing you from using a newly minted letsencrypt certificate with sslv3, for instance.

[alyandon]

Sure, I misspoke. It's more about the contents of the cert itself (signing keys, deprecation of CN field, etc) than the hosting web server configuration.

Obviously, one can actively choose to go out of their way and do something bone-headed - nothing can stop that.