17

We have a wildcard certificate issued by GoDaddy coming up for renewal, and I would like to use a different company (which is yet to be chosen). The wildcard certificate is on use at a dozen sites across a few servers. There will be a gap of a few hours between the certificate being issued at the new authority, and when we can install the certificate on all those sites & servers. During that gap, will our users notice anything, e.g.,

  1. "Site is insecure" type of warning
  2. Outright failure of the site to work (they are Windows/IIS sites).

I am wondering if, for instance, the new authority issue something to GoDaddy that makes GoDaddy revoke our certificate that they have on file. Or, will a web browser find the installed certificate mis-matching with the newly issued certificate, and cause a problem.

royappa
  • 297
  • 2
  • 9

2 Answers2

29

A certificate will be valid as long as the system date that verifies the domain is between its validity not-before and not-after date, all other certificates in the chain are valid, and the issuer has not taken action to revoke the certificate by means of CRL or OCSP options at their disposal (most commonly due to counterfeit or security issues such as a private key that becomes compromised). Obviously, the domain have to match. Issuing a new one will not affect that.

You can actually request the new certificate before the expiration date of the current and start changing certificates ahead of that point in time so that there is the smallest disruption possible in services. If you wait for expiration in order to proceed with the renewal, the services will show the insecure note if not blocked completely by security settings on browsers like HSTS or other security mechanisms.

Automation tools related to certificate renewal like acme.sh or the Let's Encrypt module in WHM do their job usually 1 month ahead of expiration so that caching and other functionality doesn't impact the renewal process either.

David Mora
  • 426
  • 1
  • 5
  • 8
    The first paragraph is incomplete. A certificate may also become invalid due to CRL or OCSP checks. Won't happen in this situation, though, so the conclusion remains correct that OP can go ahead and order the new certificate and the old one will remain valid. – jcaron Mar 08 '23 at 09:10
  • Accepting this answer because of the detailed explanation compared to the one from TomTom, but obviously appreciate that one as well, and the input from @jcaron here. – royappa Mar 08 '23 at 13:55
  • Of course, revocation is also a reason for invalidity. I just went with reasons that invalidate a certificate when no action is taken and time just pass by. I will add those two and have a much more complete source of information. Thanks, @jcaron – David Mora Mar 08 '23 at 16:06
  • 1
    Requesting a new certificate early is not only possible, it’s the industry norm. There’s a reason that you generally hear about it when a certificate lapses on a big site, and it’s because sensible admins renew their certificates early whenever possible (aside from ensuring minimal downtime just for the renewal itself, you also minimize the possibility of downtime resulting from issues with renewing the certificate). – Austin Hemmelgarn Mar 08 '23 at 19:19
21

No, Getting a new certificate from another CA is absolutely unrelated to the old certificate.

TomTom
  • 51,649
  • 7
  • 54
  • 136