On Wed, Apr 16, 2014 at 12:35:23PM CEST, Joel Rees <joel.rees@gmail.com> said:Some do, however only ther certificate expires, not the keys...
>
> For those who are getting excited, don't. Take the time to understand the
> whole process, and the reason certificates and cryptographic tokens should
> be rotated, and how you go about doing it. (They should be rotated anyway,
> and if you don't, well, it's time to start leaning how, and this is as good
> a reason as any.)
>
> Incidentally, nobody does it right yet, not even the banks. In my way of
> thinking, that's a bigger problem than being able to reach blindly into a
> server's memory.
Thus many of those who rotate the certificate just issue a new one
with existing key, just changing the dates and signing.
And that's bad.