A month's notice to allow for 'graceful switching' of CAs is overly optimistic.
We have some certificates that we have to start the renewal process 2-3 months out, because we have a lot of alternate names of domains we don't (directly) control (white-labelled service).
Thankfully we don't use WoSign for any of our certificates, but if it were say Symantec or someone else that got into trouble? Thirty days isn't enough time.
A thirty day notice that nothing issued after the date, and a 6 month migration period would be more like a graceful exit period. Still a stressful period, but less utter panic inducing.
Yeah, this has always seemed to me like a good idea, and a profit opportunity for the CAs. All the CAs get to spread FUD about each other being blacklisted, and claim that it's best practice to get two certs from different CAs (with different actual root certs, not just different resellers). Even the Let's Encrypt users will keep a fancy wildcard in their back pocket.
If you issue them from the same CSR / key, you can even configure your web server to send both certs in the certificate chain, and most clients will figure out which one they trust without requiring manual intervention by the site operator.
Doubling the cost and difficulty of CA management for a once in a... well.. we haven't yet had a major CA killed in the decades that CAs have been around.
If CAs were being killed every few months then that would be a reasonable thing to do - but not for such a rare occurrence.
We have some certificates that we have to start the renewal process 2-3 months out, because we have a lot of alternate names of domains we don't (directly) control (white-labelled service).
Thankfully we don't use WoSign for any of our certificates, but if it were say Symantec or someone else that got into trouble? Thirty days isn't enough time.
A thirty day notice that nothing issued after the date, and a 6 month migration period would be more like a graceful exit period. Still a stressful period, but less utter panic inducing.