Instead of POSTing to the renewalInfo endpoint indicating that a certificate has been replaced, simply include the unique identifier of the previous certificate in the newOrder request. This has multiple advantages:
the client doesn't have to make additional requests, just the ones it would normally make
the CA knows which new order is a renewal, and whether that new order is taking place during the ARI suggested window
the CA can use this info to: bypass rate limits, revoke replaced certs during an incident, and track renewal rate metrics
This has one disadvantage:
notice of replacement happens at the same time as renewal, rather than sometime thereafter, meaning there may be a gap between when the replacement certificate has been issued and when it has been provisioned and is truly usable. But this gap is only relevant in one context (when the CA is conducting mass revocations), in which case the replaced cert is going to be revoked sooner or later anyway, and continuity of service is provided on a best-effort basis.
Instead of POSTing to the renewalInfo endpoint indicating that a certificate has been replaced, simply include the unique identifier of the previous certificate in the newOrder request. This has multiple advantages:
This has one disadvantage: