17

I used the "reissue certificate" functionality at a SSL certificate vendor (RapidSSL, FWIW) to get a new certificate - in doing so, I created and used a new private key and pass phrase.

Will the re-issuance of this certificate cause the previously-issued certificate to become invalid? If so, how long does that take?

RichVel
  • 3,524
  • 1
  • 17
  • 23
Cooper
  • 271
  • 1
  • 2
  • 4
  • 1
    If a certificate is re-issued, before I can update my servers will the users be affected by the invalidated certificate? – Coderama Apr 10 '14 at 00:19

2 Answers2

9

Not automatically, for RapidSSL. For other vendors and/or certificate grades, it may be be automatic.

RapidSS don't automatically invalidate a certificate when it is re-issued, according to their Certificate Practice Statement. This would be a function of how much you pay for the certificate.

In section II.B.5 of the currently-google-able CPS:

GeoTrust will not revoke a Certificate previously issued following a refund or reissue request. A request for a refund or reissue of a Certificate will not be treated as a request by the Subscriber for revocation of a Certificate previously issued by GeoTrust unless the Subscriber follows the procedures for requesting revocation as stated at Section III.I. of this CPS.

In section III.I it says:

Certificate revocation is the process by which GeoTrust prematurely ends the Operational Period of a Certificate by posting the serial number of the Certificate to a Certificate Revocation List. A Subscriber shall inform GeoTrust and promptly request revocation of a Certificate:

  • whenever any of the information on the Certificate changes or becomes obsolete; or
  • whenever the Private Key, or the media holding the Private Key, associated with the Certificate is Compromised; or
  • upon a change in the ownership of a Subscriber's web server. Subscriber shall state the reason(s) for requesting revocation upon submitting the request.

Elsewhere it minimally promises that revoked certificates will be added to the CRL 'at least once a week'.

Reading the Certificate Practice Statement of any purchaser of SSL certificate services is a good thing for a buyer to do.

David Bullock
  • 791
  • 3
  • 14
  • 20
3

Yes, they will revoke the old certificate.

The way that SSL revocations works is that, inside the certificate, the vendor places a URL where the client (e.g. browser) should check if the certificate is still valid (called a CRL).

So there is no hard and fast answer to this, it depends on the client. In some cases, like this article, it suggests it won't be checked at all.

Jay
  • 6,439
  • 24
  • 34