Comment by ensocode
I’m maintaining a server with Let’s Encrypt certs for a B2B integration platform. Some partner systems still can’t just pin the CA and instead require a manual certificate update on their side. So every 90 days we do the same email ping-pong to get them to install the new cert — and now that window is getting cut in half.
Hopefully their software stack will be able to automate this by 2028.
CAs are gonna start rotating more frequently soon, and you may even see randomisation. Pinning to public certs is a real no-no.