How does the default leaf cert TTL provide a weekend of protection?

Hi there. First time posting. :wave:

I’m a bit confused by the docs for leaf_cert_ttl. They say that

This is also the effective limit on how long a server outage can last (with no leader) before network connections will start being rejected, and as a result the defaults is 72h to last through a weekend without intervention

My understanding of this code is that a certificate will be due for renewal at some point between 60% and 90% of the way into its lifetime.

So suppose I have a certificate that is due for renewal at 90% of its lifetime. If the CA fails just before the cert comes up for renewal, I only have 0.1*leaf_cert_ttl time to fix the problem before that cert expires and I have an incident. So if I I use the default value that’s 7.2 hours - much less than a weekend.

If I want to be able to last a whole weekend, I think I need to set my leaf_cert_ttl to 30 days. But now I’ve had to make my leaf certs live longer, which reduces the security of my system.

Am I reading this right? If so, would there be any interest in making the 60% and 90% bounds configurable, so that I can use a shorter certificate (at the expense of increasing the CSR rate)?


PR hashicorp/consul#10842 updated the documentation for leaf_cert_ttl to remove this statement about providing a weekend of protection.

This is probably a question for our engineering team. I recommend opening an issue on GitHub and asking there whether they’d be willing to make this configurable.