0

One of our SSL certificate is about to expire next month. We use limelight CDN and we had provided them certificate when we started working with them.

We also use same certificates on our sites. All our sites are hosted on IIS.

We have renewed the certificate but I am not sure in which order we should change the certificate.

Possible things

  • change certificate in IIS site binding first and then ask Limelight (CDN) to change it
  • Ask Limelight (CDN) to change certificate and then change binding in IIS later
  • Change certificates at both end at the same time. But this is not an easy task as Limelight (CDN) does not have console and we have to depend on support tickets.

Please suggest what should be done. Will we get some error if certificates used at IIS and CDN are different?

Chintak Chhapia
  • 103
  • 2
  • 3
    Barring special cases around certificate pinning, it doesn't matter which order you do it in, and it doesn't matter how fast you get it done. You could run two different SSL certs permanently, if you want. Hell, you could have 50 servers, each with their *own* different SSL cert, if you really wanted. – ceejayoz Sep 08 '17 at 12:31
  • Just confirming on this sentence "You could run two different SSL certs permanently, if you want." Basically you are saying that it does not matter if we have two different certs installed for same domain on CDN and Origin. Is this correct? Sorry if you find this annoying. – Chintak Chhapia Sep 08 '17 at 13:23
  • 1
    Correct. A valid certificate is a valid certificate, even if there are other valid certificates floating around for the same domain. In fact, it'd be a good idea to use a different certificate *always* for the CDN, so they don't have to have access to your webserver's private key - protects you if the CDN is ever breached. – ceejayoz Sep 08 '17 at 13:33

1 Answers1

1

Each TLS certificate has a validity period, which is defined when the certificate is issued. This means that the validity periods of two certificates can overlap.

So, if your current certificate is valid from October 1 2016 till September 30 2017, and your new certificate is valid from September 15 2017 to September 31 2018, it means that you have two weeks time to change the new certificate in your services and both certificates work at the same time.

Tero Kilkanen
  • 36,796
  • 3
  • 41
  • 63
  • But question is in this 2 weeks, can be change cert at CDN today and cert at origin after a week? Will it will impact anything? – Chintak Chhapia Sep 08 '17 at 13:25
  • No, it won't impact anything since both old and new certificates are valid (assuming common names match both the CDN and origin). – Tero Kilkanen Sep 09 '17 at 00:35