I misremembered that the durations are measured in hours, not days.
But actually 28 hours isn't enough, because hosts refresh their cache
of the certificate store at different times of night: we must have the
new certificates ready for the early risers, and the old ones must
still be valid until time that the late risers are done.
extensions tls-client-extensions
issue-time "*-*-* 03:00:00"
start-skew 1
- expire-interval 2
+ expire-interval 32
}
set P(tls-server) {
extensions tls-server-extensions
issue-time "*-*-* 03:00:00"
start-skew 1
- expire-interval 2
+ expire-interval 32
}
proc update-hook {} {