I've a question regarding https certificate changes. Does anyone know any side-effects to changing the certificate, one signed with RSASHA1 to one signed with RSASHA256 for ex, while users already have established secure channels with the old certificate?
I imagine new users, that are just establishing their secure channels, would just pickup the new certificate, and perform key exchange using its public key, but what about users that already have their SSL handshake and key exchange performed with the old one, and for some reason their secure channel needs to be re-established, and the new one is picked up. During the re-establishment is it practically a whole new SSL handshake, with no dependency on the old one?
Also, I've a smaller question regarding certificate pinning. If the new certificate is signed with a different algorithm (RSASHA256 in my example), is the certificate pinning process the same on all clients (browsers)? What I'm, particularly curious is, will the pinning of the root certificate, which I'm assuming is new and hasn't been pinned out-of-band, ask for any user involvement? Or will it always be done automatically, with no awareness from the user of the browser? And how much of risk is this, if the certificate pinning process is tainted with a man-in-the-middle attack?
