Sort:  

I like that idea. Then after it is fixed or while it is being fixed, a promoted page explaining what happened, and when full recovery is expected. I know your all busy, but I think lukes idea is good.

This allows that CDN to replace that page if they are malicious with a login form and steal keys. Do you wish to take that risk?

Also, we use HSTS and they would have to have some valid TLS keys, as well, which would let them MITM traffic even when we aren’t down.

There is a lot of cost/benefit to these sorts of things. We’re just going to focus on not going down in the future.

This allows that CDN to replace that page if they are malicious with a login form and steal keys.

That's a bit paranoid, IMO. You're using Amazon Web Services already, right? Do you trust them? CDN and DNS providers do introduce risk, sure, but that's part of being a professional company on the Internet. If you can't trust your service providers, you have the wrong service providers.

I'm somewhat familiar with the risks. Running FoxyCart for the last 10 years, we've processed over a billion dollars in credit card transactions. There will always be risks when dealing with TLS, you have to trust the service providers you use and be quick to change things if needed. Again, this is part of how the Internet works today. I'm not telling you anything new. You have to trust someone.

If the alternative is your business being offline for 10+ hours... well, just don't miss the forest for the trees.

"Not going down in the future" is quite a tough task. Good luck. I really hope you succeed in that, but given the current structure of the Internet, I find that difficult to do without global redundancy through a major CDN provider.