Hi there. First time posting.
I’m a bit confused by the docs for leaf_cert_ttl. They say that
This is also the effective limit on how long a server outage can last (with no leader) before network connections will start being rejected, and as a result the defaults is
72h
to last through a weekend without intervention
My understanding of this code is that a certificate will be due for renewal at some point between 60% and 90% of the way into its lifetime.
So suppose I have a certificate that is due for renewal at 90% of its lifetime. If the CA fails just before the cert comes up for renewal, I only have 0.1*leaf_cert_ttl
time to fix the problem before that cert expires and I have an incident. So if I I use the default value that’s 7.2 hours - much less than a weekend.
If I want to be able to last a whole weekend, I think I need to set my leaf_cert_ttl
to 30 days. But now I’ve had to make my leaf certs live longer, which reduces the security of my system.
Am I reading this right? If so, would there be any interest in making the 60% and 90% bounds configurable, so that I can use a shorter certificate (at the expense of increasing the CSR rate)?