Comment by stackskipton

We do or will until Certificate lifespan changes. We have customers cert pinning our API cert at work (shitty Enterprise security practices) so constant 60 days rotation with LE or ZeroSSL caused endless support heartache because these enterprise customers demanded we tell them when and what new fingerprint was.

So, 1-year certs and renew 60 days out, send out new fingerprint and at 30 days, we would occasionally swap it in and out as brownout with replacement at 15 days.

We have already indicated when it drops to 100 days, we will swap to automation and no longer communicate when changes will occur. Account Managers are already getting push back from customers. It's possible we will continue using Digicert because they seem to promise that Intermediate certs won't rotate unlike Let's Encrypt which rotates them more frequently which is better security practice. So Enterprise customers will cert pin to Intermediate instead.