But a (public key) certificate is not a public key. A cert is a public key A (to private key a), signed by another key b, of which public key B is known. To rotate a cert means resigning the public key A (which is still derived from the same private key a).
Ah, so basically just renewing before it's due, that makes sense. For some reason it didn't occur to me that rotate could mean that too.
This does still leave the problem of the old certs being valid though. This only makes sense as a security practice if the certs are short-lived, which theirs apparently weren't. If the certs live much longer than the rotation window, this really is just security theatre.
I do think thaumasiotes has a point and GP's company probably misinterpreted the rotation requirements and short lifespans were implied in the requirement.
> If the certs live much longer than the rotation window, this really is just security theatre.
That's very true.
> and GP's company probably misinterpreted the rotation requirements and short lifespans were implied in the requirement.
Or GP didn't know that the company was indeed using short expiration times, and somehow confused it with certificate revocation (called "cancelled" in the post).
Edit: relevant, especially flow2k's answer, which explains why this is _not_ just security theater https://security.stackexchange.com/questions/85963/what-is-t...