Im just using hashicorp vault, with a multi tier CA setup. Real CA is just a docker container that stays off 99.9% of the time, and the furthest branch intermediate lives on the actual vault instance, which is used to issue certs, among other things. As long as you add your CA chain to your system and browser, they get treated as valid. I even have long term certs in some places because i dont want to change them. Public CAs max at 1 year most of the time now. I issue certs for my internal domains, and public subdomains where im only the one to use it. I use LE for the real public things.
If you're running your own CA then really should just set your expiries to the maximum (49 years is practical) and never worry about it.
You don't have enough nodes for CRL size to become a problem, and if a node does get compromised you're hardly going to leave it up and running for a year (i.e. you'd obviously kill the node, and the cert is useless without control of the DNS name).
EDIT: the other direction to go of course is way shorter. Like do you need a certificate with a lifetime longer then business hours before renewal?
Im just using hashicorp vault, with a multi tier CA setup. Real CA is just a docker container that stays off 99.9% of the time, and the furthest branch intermediate lives on the actual vault instance, which is used to issue certs, among other things. As long as you add your CA chain to your system and browser, they get treated as valid. I even have long term certs in some places because i dont want to change them. Public CAs max at 1 year most of the time now. I issue certs for my internal domains, and public subdomains where im only the one to use it. I use LE for the real public things.
If you're running your own CA then really should just set your expiries to the maximum (49 years is practical) and never worry about it.
You don't have enough nodes for CRL size to become a problem, and if a node does get compromised you're hardly going to leave it up and running for a year (i.e. you'd obviously kill the node, and the cert is useless without control of the DNS name).
EDIT: the other direction to go of course is way shorter. Like do you need a certificate with a lifetime longer then business hours before renewal?