When rotating certificates, the call to SSLManagerInterface::stapleOCSPResponse() on a temporary SSLManagerInterface instance implicitly starts a periodic fetch and staple job, in addition to performing the initial fetch and staple itself. Unless the initial fetch and staple succeeds in obtaining a valid response, there is no need to start a periodic fetch and staple thread as it will only get shut down as soon as the SSLConnectionContext associated with it is deleted upon return of an error in AsioTransportLayer::_createSSLContext(). The current way this works is also prone to issues like the one seen in BF-34360. A cleaner way would be to start the periodic OCSP fetcher via a separate API call (e.g. SSLManagerInterface::startJobs()) that will be invoked only when the global SSLManagerInterface can be safely replaced by the temporary SSLManagerInterface during rotate.