Renew vs. new purchase of SSL wildcard certificate
As far as I know the majority (all maybe?) of the SSL providers do not add the old certificate to a Certificate Revocation List nor will they respond negatively to an OCPS request when a certificate renewal is requested. In other words, the current certificate will remain valid and you have until the time it expires to roll out the new certificate, regardless of whether you renew or buy a new certificate.
If you purchase for instance a 2-year renewal typically the new certificate will be valid until old expiry date + 2 years
.
If you buy a new certificate valid for two years, it will remain valid until today + 2 years
and you'll have less value from the new certificate.
Related videos on Youtube
DuncanMack
Updated on September 18, 2022Comments
-
DuncanMack over 1 year
I have an existing SSL wildcard certificate at GoDaddy that expires in a few months. Traditionally we would renew this certificate and, in doing so, begin the countdown towards the existing certificate becoming invalid (72 hours according to the rep on the phone).
I was told that I could, instead, simply buy a totally new certificate and thereby take my time installing it. The caveat, apparently, is that the purchase has to be coordinated by a support rep so that it doesn't come into the system as a renewal.
Will this approach work? Does someone have experience with this? We use the certificate on a dozen servers across several platforms, so the goal here is simplifying this process as much as possible.
-
joeqwerty over 9 yearsWhy would you renew the certificate and not apply it immediately (or relatively immediately)? Why would you wait 72 hours or more? If you're going to renew it then that implies that you're going to apply it as soon as possible and are ready to apply it to all relevant systems. Additionally, whether you renew it or get a new cert, the process is largely the same, so I don't see how your proposed solution simplifies the process in the least bit.
-
DuncanMack over 9 yearsThe thought was to avoid the 72 hour clock. Yes, if everything goes fine, then 72 hours is not a problem. But I'm hoping to avoid frantic Googling from a hiccup when converting PFX to PEM files, importing to various web servers and other systems, etc. Murphy's Law seems to kick in as soon as there's a hard stop.
-
Dolan Antenucci over 8 yearsFWIW, the other advantage to a new certificate with GoDaddy is that it may save the purchaser money. As of today, GoDaddy charges $39.99/year for new certs and $69.99/year for renewals. This, of course, may vary depending on current sales.
-
-
DuncanMack over 9 yearsHaving just spoken with another rep, they affirmed what you're saying @HBruijn. I have pinged the original rep who told me otherwise to see why there was a discrepancy in their answers. Stay tuned.
-
DuncanMack over 9 yearsTo clarify, the renewal is instant. I'm concerned about when the old certificate becomes invalid.
-
DuncanMack about 9 yearsOk, I was pointed to this documentation which states that there is a 72 hour window after re-keying a cert (which would be part of the renewal process) after which the old certificate is revoked. Relevant blurb from the article: "By creating a new private key, you invalidate your certificate's old private key; this means you must install your new, re-keyed certificate within 72 hours of re-keying."