14

We are currently using an standard SSL certificate for a domain say example.com hosted on 300 servers. When someone request https://example.com, one of the server serves the request.

Now, we want to upgrade our SSL certificate from Standard to one that protects multiple sub domains. Our registrar, GoDaddy, informed us that we will need to cancel the current certificate and instead a new one will be issued.

Now, once the new one is issued to us, it will take approximately 10 days for us to replace the older one on the 300 servers. In those 10 days, if our users request https://example.com and a server that still has the old certificate serves the request, then what will be shown on the user's browser?

Will the user see an invalid certificate error?

NOTE: Just to put all the backlash at rest, the reason it takes 10 days to update over 300 servers are because my servers are deployed in private buses, trains and aircraft and they serve request via an offline hotspot. They may serve several requests without connecting to internet for days. And hence, as per our last update rate, it will take approx 10 days for me to update all of them.

Giacomo1968
  • 3,542
  • 27
  • 38
Kartik
  • 267
  • 2
  • 9
  • 12
    You haven't sufficiently automated your environment. You should be able to replace all of those certificates on a single command in a few minutes. – Michael Hampton Oct 03 '15 at 06:32
  • 3
    Have you asked GoDaddy whether they will actually "revoke" the certificate (add it to their Certification Revocation List) in this scenario? I've been working with another provider before (can't recall which) which wouldn't revoke certs merely because one was "cancelled" business-wise, but would only do revocations in case foul play was suspected, to reduce the size of the CRL. – Per von Zweigbergk Oct 03 '15 at 06:36
  • 1
    @PervonZweigbergk Correct. But I just realized that perhaps this SSL certificate was some freebie connected to a registration package. Regardless technically you can have dozens of SSL certificates for a host; expiration is not contingent on anything regarding getting a new or multiple certificates. – Giacomo1968 Oct 03 '15 at 08:13
  • 2
    I don't understand how you can justify stretching this task out to _ten days_, even if you have to change the cert manually on each server. Is that a practical reality for some reason (what reason?), or is it just what you tell your manager? One person should be able to do this in a _morning_ unless you're typing with nothing but your two index fingers... and, even then, ten days is suspicious. – Lightness Races in Orbit Oct 03 '15 at 15:59
  • 4
    Just to put all the backlash at rest, the reason it takes 10 days to update over 300 servers are because my servers are deployed in private buses, trains and aircraft and they serve request via an offline hotspot. They may serve several requests without connecting to internet for days. And hence, as per our last update rate, it will take approx 10 days for me to update all of them. – Kartik Oct 04 '15 at 05:36
  • @Kartik Let me at least now flip my comment on 300 servers/10 days now that I know that you are dealing with mobile, sporadically connected devices. Quite impressive! – Giacomo1968 Oct 04 '15 at 23:14

1 Answers1

13

Putting aside the fact you have 300 servers (!!!) and you seem to say the process is not automated so it will take 10 days (!!!) to complete, the scenario that GoDaddy has described seems off. NOTE: Comment irrelevant now that a clearer context is placed on the 300 servers in 10 days issue; the logistics of moving/sporadically-connected servers make sense.

Yes, if you wish to create a new certificate the old SSL certificate should be revoked (aka: cancelled). But in my experience SSL certificates don’t have to immediately be revoked because a new SSL certificate has been issued. You might want to double check with GoDaddy about this.

Also, SSL certificates, registrars and hosting services are 3 different things. Sometimes a registrar will insist they are the only ones who can issue an SSL certificate for a domain they might have registered with them. But you can pretty much get an SSL certificate from anyone who offers one and then use that with your current servers without issue.

If GoDaddy is really being a pain about this, I would recommend just getting an SSL certificate from another source.

That way you can phase in the new SSL certificate across the 300 servers while keeping the old SSL certificate in place. And then when you are done with the transition, officially revoked the old certificate so you're done with it.

Giacomo1968
  • 3,542
  • 27
  • 38
  • 8
    Regarding the certificate replacement process not being automated - imagine what would happen if somebody would actually steal one of your certificates, and you'd have to go revoke it. Can you really afford having your site down for 10 days? – Per von Zweigbergk Oct 03 '15 at 08:27
  • 1
    For most of this answer, you mean "revoked", not "expired". Certificates typically are *revoked* by their issuer on cancellation, they don't expire (their expiration date is left untouched, since it's not repropagated to CRLs/OCSP/etc). – Chris Down Oct 03 '15 at 12:12
  • @ChrisDown Thanks for the catch. My late night brain converted "cancelled" to "expired." Edited to use "revoked" instead. – Giacomo1968 Oct 03 '15 at 19:22
  • 2
    @JakeGould You were right. I got a new certificate issued and at the same time, I have the old one still active. It turns out that I have the power to decide when to revoke the old one. I can keep both one active as long as I want. – Kartik Oct 06 '15 at 06:20
  • @Kartik Happy this worked out for you. Certificates are not magic; they are just things that identify who your server is to the world and validate it via a 3rd party “authority.” And as such, you are in power at all times. Anyone implying otherwise is simply trying to created doubt for sales purposes. Happy to have helped! – Giacomo1968 Oct 06 '15 at 06:23