I misremembered that the durations are measured in hours, not days.
But actually 28 hours isn't enough, because hosts refresh their cache
of the certificate store at different times of night: we must have the
new certificates ready for the early risers, and the old ones must
still be valid until time that the late risers are done.
extensions tls-client-extensions
issue-time "*-*-* 03:00:00"
start-skew 1
extensions tls-client-extensions
issue-time "*-*-* 03:00:00"
start-skew 1
}
set P(tls-server) {
extensions tls-server-extensions
issue-time "*-*-* 03:00:00"
start-skew 1
}
set P(tls-server) {
extensions tls-server-extensions
issue-time "*-*-* 03:00:00"
start-skew 1