Does issuing an SSL certificate at a new company immediately invalidate the certificates on our servers?

royappa

3/7/24, 8:36 PM

We have a wildcard certificate issued by GoDaddy coming up for renewal, and I would like to use a different company (which is yet to be chosen). The wildcard certificate is on use at a dozen sites across a few servers. There will be a gap of a few hours between the certificate being issued at the new authority, and when we can install the certificate on all those sites & servers. During that gap, will our users notice anything, e.g.,

"Site is insecure" type of warning
Outright failure of the site to work (they are Windows/IIS sites).

I am wondering if, for instance, the new authority issue something to GoDaddy that makes GoDaddy revoke our certificate that they have on file. Or, will a web browser find the installed certificate mis-matching with the newly issued certificate, and cause a problem.

2976

2 + 0

ssl-certificate

Score:29

Server

David Mora

3/7/24, 9:55 PM

A certificate will be valid as long as the system date that verifies the domain is between its validity not-before and not-after date, all other certificates in the chain are valid, and the issuer has not taken action to revoke the certificate by means of CRL or OCSP options at their disposal (most commonly due to counterfeit or security issues such as a private key that becomes compromised). Obviously, the domain have to match. Issuing a new one will not affect that.

You can actually request the new certificate before the expiration date of the current and start changing certificates ahead of that point in time so that there is the smallest disruption possible in services. If you wait for expiration in order to proceed with the renewal, the services will show the insecure note if not blocked completely by security settings on browsers like HSTS or other security mechanisms.

Automation tools related to certificate renewal like acme.sh or the Let's Encrypt module in WHM do their job usually 1 month ahead of expiration so that caching and other functionality doesn't impact the renewal process either.

+ 4

jcaron

3/8/24, 9:10 AM

The first paragraph is incomplete. A certificate may also become invalid due to CRL or OCSP checks. Won't happen in this situation, though, so the conclusion remains correct that OP can go ahead and order the new certificate and the old one will remain valid.

royappa

3/8/24, 1:55 PM

Accepting this answer because of the detailed explanation compared to the one from TomTom, but obviously appreciate that one as well, and the input from @jcaron here.

David Mora

3/8/24, 4:06 PM

Of course, revocation is also a reason for invalidity. I just went with reasons that invalidate a certificate when no action is taken and time just pass by. I will add those two and have a much more complete source of information. Thanks, @jcaron

Austin Hemmelgarn

3/8/24, 7:19 PM

Requesting a new certificate early is not only possible, it’s the industry norm. There’s a reason that you generally hear about it when a certificate lapses on a big site, and it’s because sensible admins renew their certificates early whenever possible (aside from ensuring minimal downtime just for the renewal itself, you also minimize the possibility of downtime resulting from issues with renewing the certificate).

Score:21

Server

TomTom

3/7/24, 8:51 PM

No, Getting a new certificate from another CA is absolutely unrelated to the old certificate.

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does issuing an SSL certificate at a new company immediately invalidate the certificates on our servers?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.