Sometimes it's required to break the rules - and to change these

I don't think there is a way back to only payed certificates. That time is over.

And there (via 2020.02.29 CAA Rechecking Bug - #4 by jsha )

@jsha announces such a new protocol:

Therefore, our conclusion is that we need to develop a protocol to notify Subscribers' systems of imminent certificate revocation, so those Subscribers can automate the process of replacing affected certificates before the deadline. We plan to design this protocol publicly, in collaboration with the PKI community, so that any CA and any Subscriber can implement it. We will also collaborate directly with popular ACME clients to integrate and test such automated replacement.

If such a solution is deployed, it's not longer a problem to revoke a lot of certificates in 5 days.

2 Likes