I was reading this study Google published based on data collected from Chrome:
My main takeaway from it is that:
- We should consider renewing certificates around 3 months before they expire (for wikis / Tier 1 services.)
Reason being that in the case of disaster and we're unable to look after the servers for a while or if problems arise with the certificate authority, it'd be nice to have some leeway before audiences are affected and making content inaccessible.
- We should make sure that at least 24 hours pass before actively using a newly issued certificate (unless it's a disaster recovery).
Reason being that clock skew is not uncommon and 24h is amble buffer to accomodate 93.3% of clients. Looking at the shape of the graph in detail, the tipping point where the percentage of users still rises significantly before becoming flat, waiting 4-5 days would get us 94% of the remaining, which amounts to 99.6% (=93.3+(6.7*0.94)).
After 24h, browsers can reasonably detect the issue and alert the user of it. Although if we can, I suppose we could aim to wait 5 days by default.
Thoughts? What is our current process?