Willy, thanks for your elaborate reply! See my remarks below.
> possible impacts nor complexity (but I don't want to have the complete MS > Office suite merged in, just Word, Excel and PowerPoint :-)). :-D > - renewed certs can and will sometimes provide extra alt names, so > they are not always 100% equivalent. > […] > That said, given that we can already look up a cert based on a name, > maybe in fact we could load all of them and just try to find a more > recent one if the first one reported by the SNI is outdated. I don't > know if that solves everything there. It actually might. In the end it would be something like a map, with the key being the domain, and the value a list of pointers to the actual certificates, sorted by remaining validity, having shortest first. > In any case, this will not provide any benefit regarding let's encrypt > or such solutions, because the next cert would have to be known in > advance and loaded already, so reloads will have to be performed to > take it into account. So I think that the approach making it possible > to feed them over the CLI would still be mor interesting (and possibly > complementary). I think it would benefit Let’s Encrypt and similar scenarios. I would still require reloads to pick up newly added certificates. But as renewed certificates overlap their predecessors’ validity period, dropping them into a directory and just doing a reload maybe once a day would work. Clients would still get the older one, until it finally expired, but that should not matter, as we are not talking about revocations where switching to a new cert is wanted quickly. > Daniel I'm pretty sure that most users > would prefer the approach consisting in picking the most recent > valid cert instead of the last one as you'd like. I don't really > know if it's common to issue a cert with a "not-before" date in the > future. And that might be the whole point in the end. Well, I was just thinking about the not-after date. In general, from a client perspective it shouldn’t matter to get an older one, until it really expires. And the case where you have a new certificate already, and you want it handed out to clients ASAP is already taken care of today — just replace the file and reload :-) Unless I misunderstood what you meant when referring to the “not-before” date. Daniel PS: This is an interesting discussion, and I am happy to continue it, if anyone feels the same. As I said, I will try to solve this via provisioning scripts in the meantime, so there is no time pressure. -- Daniel Schneller Principal Cloud Engineer CenterDevice GmbH | Hochstraße 11 | 42697 Solingen tel: +49 1754155711 | Deutschland daniel.schnel...@centerdevice.de | www.centerdevice.de Geschäftsführung: Dr. Patrick Peschlow, Dr. Lukas Pustina, Michael Rosbach, Handelsregister-Nr.: HRB 18655, HR-Gericht: Bonn, USt-IdNr.: DE-815299431