fs111 3 days ago

Load on the underlying infrastructure is a concern. The signing keys are all in HSMs and don't scale infinitely.

1
bob1029 3 days ago

How does cycling out certificates more frequently reduce the load on HSMs?

2 replies
timmytokyo 3 days ago

It's all relative. A 47-day cycle increases the load, but a 48-hour cycle would increase it substantially more.

woodruffw 3 days ago

Much of the HSM load within a CA is OCSP signing, not subscriber cert issuance.