2

My RapidSSL Certificate is about to expire and I need to renew it. From what I understand, I can use the existing signature (less secure) or generate a new request. In either case, once I install the new key, is there any chance that browsers will display a warning or error message to users saying that the SSL cert has changed?

Also, I have some automated programs that SFTP information to my server every morning. Will they get a message that the server's signature has changed and manually need to accept?

Thanks

  • Actually it looks like they have a new vendor. I can get a Comodo PositiveSSL cert OR a GeoTrust RapidSSL for the same price? Any ideas about which would work better? Also, if I end up changing to a different Cert issuer, any problems with browser warnings? –  Jul 02 '10 at 13:41
  • SFTP has nothing to do with SSL, maybe you're thinking FTPS? – Chris S Jul 02 '10 at 15:27

2 Answers2

1

1) The browsers won't balk at the new certificate as long as it's signed by a trusted authority, so if you buy it from one of the regular channels, or sign it using an in-house CA that your browsers trust, then you're fine

2) sftp deals with the certificates that are part of the SSL/SSH subsystem, not the apache certificates, so it will be unaffected.

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
0

The only warnings users might get is if your new cert has a begin date before you start using it or if they have set a security exception for that particular cert (possible if they don't trust the RapidSSL root cert). Otherwise I'd just get a new cert using the old private key, install it, and call it a day.

I haven't dealt with RapidSSL before, but every other cert vendor I have dealt with sets the begin date to the moment the cert is issued. The end date is either X years after the being date; or X years after the old expiry date if you're renewing.

Chris S
  • 77,337
  • 11
  • 120
  • 212
  • Just to confirm, since I am not changing the SSL issuer (same company), if it worked before without problems, it will work now without problems? (assuming I install immediately when I get it. –  Jul 02 '10 at 13:35
  • @Joshua: It does not matter what changes and what doesn't. The only thing that does matter is the validity/expiration dates. – user1686 Jul 02 '10 at 14:31
  • Correct, if it worked before, popping in a renewed cert will seamlessly extend the expiry. – Chris S Jul 02 '10 at 15:28
  • Comment that wasn't true when this was answered but in case anyone finds this nowish: Chrome is supposed to pop up a warning if you have a certificate that expires after the end of this year and either the cert and/or the CA intermediate cert were signed with SHA1 (vs SHA256 etc.). So, if you had a cert that was SHA1 signed that expired say 1 October, 2015, that cert wouldn't get a sunset warning from Chrome, but if your reissued cert that expires 1 October 2016 is signed with SHA1, that will. – Foon Oct 05 '15 at 02:45