Comment by rfoo

> Second, I think the statistic is that 81% of businesses have had an outage due to certificate expiry. So you need to understand that making certs expire more is inherently damaging.

Uh, no. Most of the outage due to certificate expiry is not caused by subtly broken automation. It's caused by non-existent automation or outright broken (never gonna work) automation.

So, if you make certificates expire in 6 days, you are not going to have these outages. They will be caught during develop.

People just pretend it's okay and forget about 1 year certs. With 6 days cert it would be impossible to pretend it's okay to shift a few files manually. Or maybe some organizations will setup a human-run rotation which actually does shifting a few files every 3 days, that's totally okay. You don't need automation. You just need a way to consistently make sure your certificate won't expire in prod (and in emergency, able to quickly replace a cert).

Certificates with 1 year expiry is nothing but a dangerous footgun. It's worse than 30 years expiry, at least with 30 years expiry you don't get outages.