[woodruffw]

You can do this pretty easily with Let’s Encrypt, to my knowledge. You can request resistance every 30 days, for example, which would give you a ladder of three 90 day certificates.

Edit: but to be clear, I don’t understand why you’d want this. If you’re worried about your CA going offline, you should shorten your renewal period instead.

[flowerlad]

Do services such as K8S ingress and Azure web apps allow you to specify multiple certificates?

Update: looks like the answer is yes. So then the issue is people not taking advantage of this technique.

[woodruffw]

I don’t think there’s a ton of benefit to the technique. If you’re worried about getting too close to your certificate expiry via automation, the solution is to renew earlier rather than complicate things with a ladder of valid certs.

[bawolff]

There are reasons to do this, just not because of expiry.

The main reason to have multiple certs is so if your host (and cert prov key) is compromised, you can quickly switch to a backup, without first having to sort out getting a new cert issued.

[miladyincontrol]

If getting a new cert issued is some sort of thing you need to sort out, as in a process that takes time, you've already missed the target.

[bawolff]

If you want a backup system its best if its self contained. When your site is down its easier to just run a single command to copy over a single file in your control instead of depending on an external service.

[kees99]

Exactly. It's not like backup certificate have validity starting at a future date.

[flowerlad]

Yes the backup certificate can have validity starting at a future date. You just need to wait till that future date to create it.