2

I have an existing SSL wildcard certificate at GoDaddy that expires in a few months. Traditionally we would renew this certificate and, in doing so, begin the countdown towards the existing certificate becoming invalid (72 hours according to the rep on the phone).

I was told that I could, instead, simply buy a totally new certificate and thereby take my time installing it. The caveat, apparently, is that the purchase has to be coordinated by a support rep so that it doesn't come into the system as a renewal.

Will this approach work? Does someone have experience with this? We use the certificate on a dozen servers across several platforms, so the goal here is simplifying this process as much as possible.

MadHatter
  • 78,442
  • 20
  • 178
  • 229
DuncanMack
  • 85
  • 2
  • 10
  • Why would you renew the certificate and not apply it immediately (or relatively immediately)? Why would you wait 72 hours or more? If you're going to renew it then that implies that you're going to apply it as soon as possible and are ready to apply it to all relevant systems. Additionally, whether you renew it or get a new cert, the process is largely the same, so I don't see how your proposed solution simplifies the process in the least bit. – joeqwerty Jan 28 '15 at 18:27
  • The thought was to avoid the 72 hour clock. Yes, if everything goes fine, then 72 hours is not a problem. But I'm hoping to avoid frantic Googling from a hiccup when converting PFX to PEM files, importing to various web servers and other systems, etc. Murphy's Law seems to kick in as soon as there's a hard stop. – DuncanMack Jan 28 '15 at 18:29
  • FWIW, the other advantage to a new certificate with GoDaddy is that it may save the purchaser money. As of today, GoDaddy charges $39.99/year for new certs and $69.99/year for renewals. This, of course, may vary depending on current sales. – Dolan Antenucci Dec 19 '15 at 13:52

2 Answers2

6

As far as I know the majority (all maybe?) of the SSL providers do not add the old certificate to a Certificate Revocation List nor will they respond negatively to an OCPS request when a certificate renewal is requested. In other words, the current certificate will remain valid and you have until the time it expires to roll out the new certificate, regardless of whether you renew or buy a new certificate.

If you purchase for instance a 2-year renewal typically the new certificate will be valid until old expiry date + 2 years.

If you buy a new certificate valid for two years, it will remain valid until today + 2 years and you'll have less value from the new certificate.

HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • That would seem like a logical way to do it, but my understanding is that GoDaddy does add the old certificate to the CRL after 72 hours. At least, that's what the rep told me. I'm having trouble identifying a source for this on their site, though. Perhaps someone else can confirm. – DuncanMack Jan 28 '15 at 18:37
  • Having just spoken with another rep, they affirmed what you're saying @HBruijn. I have pinged the original rep who told me otherwise to see why there was a discrepancy in their answers. Stay tuned. – DuncanMack Jan 28 '15 at 19:48
  • Ok, I was pointed to [this documentation](http://support.godaddy.com/help/article/4976?locale=en&ci=46061) which states that there is a 72 hour window after re-keying a cert (which would be part of the renewal process) after which the old certificate is revoked. Relevant blurb from the article: "By creating a new private key, you invalidate your certificate's old private key; this means you must install your new, re-keyed certificate within 72 hours of re-keying." – DuncanMack Feb 09 '15 at 14:24
0

I think GoDaddy's 72 hour time period is very much long to renew an SSL Certificate.

If you go through Comodo Wildcard SSL Certificate, after quick verification process they will issue your certificate within hours. Comodo also giving advantage of unlimited server licensing, so you can use your wildcard SSL Certificate on any number of servers. Renewal of Wildcard SSL Certificate also completes in hours.

If you go through Symantec, RapidSSL, GeoTrust or Thawte the verification process will be completes within 24 hour short time period. And the renewal also takes the same time.

Jake Adley
  • 137
  • 4