That sounds like a lot of extra steps. How do I validate the authenticity of a signing request? Should my signing machine be able to challenge the requester? (This means that the CA key is on a machine with network access!!)
Replacing the distribution of a revocation list with short-lived certificates just creates other problems that are not easier to solve. (Also, 1h is bonkers, even letsencrypt doesn't do it)
It's a very rare race condition, odds are very low that you were impacted. If you were, you would have noticed (heavy builds with files being moved around where suddenly files are zero).
FWIW, when entering my CPGE [0] in France, our math teacher asked we forget everything about math except: natural numbers (0, 1, etc.), addition and multiplication. Everything needed to be scraped and "taught correctly", and it took only 2 years to get back up to speed (the entire program for the school year is available (in French): https://prepas.org/ups.php?entree=programmes).
Math is incredibly simple to build from scratch (as in: doesn't require a ton of knowledge) [1]. How long it takes for it to "click" though is another matter: I've had a very hard time with calculus and basic logic in first year, and thoroughly failed my second year.
I don't have a book to recommend though (everything was taught in class, no textbook); though I remember vaguely some books that others here do recommend.
I do it differently on my own DNS ad blocker: it returns the IP of my "happy" webserver that always returns `204 No Content`, whatever query you send to it. Of course, there's still the issue of https failing, but I've never had any performance issues - much more the opposite actually.
Replacing the distribution of a revocation list with short-lived certificates just creates other problems that are not easier to solve. (Also, 1h is bonkers, even letsencrypt doesn't do it)