Vermote: Beyond this Entrust case, there is a trend in the public trust chain to shorten the validity of certificates. Previously certificates would be good for five years, but they are moving toward 90 days in the foreseeable future. That’s bringing automation into the discussion.
In the last few years we saw the introduction of the automated certificate management environment (ACME) protocol for automating issuance and updating of certificates. ACME allows you, through tooling, to automatically manage and renew certificates. In this case you just need a link with a CA and it will issue, renew, and/or re-issue the certificate. If you want or need to switch the CA, you just change the config, and automation gets you another certificate from another CA.
But where things are much more complicated is when you have a need for certificates with higher levels of identity assurance. The higher-level certificates rely on manual processes like presenting identity documents, signing agreements, providing company documents, etc. In those cases, if something happens with the CA you need multiple people involved, and often a notary. So, it’s smart to always validate with two certificate authorities to create redundancy.