Hi Sam,

Thanks for your comment. Bear in mind that one of the good things about Nebula Certs is that you can combine several of them into the same config file, and “just” issue a kill -HUP on the nebula process in question to reload the config.

So, after 1/2 the life of the CA Cert (e.g. 6 months) you’d create a new CA Cert, and build new client certs using the new CA Cert… Of course, this relies on minting certs at your CA, rather than minting them on-device, and then signing them at the CA.

If you come up with some sort of LetsEncrypt style plan, I’m sure that the team over at Defined Networking would appreciate some ideas :)