Unused certificates


#1

Continuing the discussion from Pros and cons of 90-day certificate lifetimes:

To clarify this a little bit: When I talk about unused certificates, the main category I am thinking of is certificates that were issued multiple times for the same names and then discarded. We see some of this already in the list of issued certs. To some extent this is natural behavior: if a client does automatic issuance but fails in some way, people will re-run it. There’s some work we can do on the official client to make this less common: e.g., make the client smarter about reusing existing certificates if available. But to some extent these abandoned certificates will always exist.

It’s also possible I’m being over-cautious, and the number of abandoned certificates will never be high enough to have any impact on capacity. But, as in many things: better to start out cautious, and expand judiciously.