> I would think at this point they would be their own major certificate authority and maybe domain registrar.
From experience this probably wouldn't fix things.
What often happens is that somebody creates a system that uses a certificate, doesn’t automate renewal, and then the person responsible for renewing it changes teams or leaves the company. Email reminders only go so far—they not only need to go into the right inbox, but the person watching that inbox has to care.
My last domain expiration outage happened like that.
If it's in production, just buy a 10 year cert. This virtually guarantees an outage after 10 years but virtually guarantees it won't be your fault when it happens...
New certificates in the Web PKI ("SSL certificates") have a maximum lifespan of 825 days. This is enforced (if a CA were to issue a certificate with a longer lifespan Chrome for example would just treat this certificate as invalid). The commercial CAs mostly offer one year or two years, with renewals using the 825 day limit to offer renewals in the overlap, so e.g. you buy two years in June 2018, in April 2020 you can pay for two year renewal and the new certificate expires in June 2022 not April 2022.
If you're using certificates in your own PKI (as it's likely Microsoft actually was in this particular incident) then there's no need to buy them and it's up to you what your appetite for risk is on when they expire.
My approach is the opposite. For production certs, I buy them with the minimum length (usually 1 year). This exposes problems in our automation sooner, and keeps the process more fresh in our minds.
I really like that Let’s Encrypt certificates last only 90 days.
That said, the CYA aspect of “10 years, somebody else’s problem” is really appealing. If only I believed that it wouldn’t be my ass on the line 10 years from now!
I would think at this point they would be their own major certificate authority and maybe domain registrar.