3

What are the best practices for updating client-side SSL certificates without user interaction?

To be more specific:
I have a server with SSL private key/public x.509 certificate. All clients will communicate with this server through SSL. In order to establish SSL connection all clients need to import the server's public certificate to their trusted locations (truststore).

Getting the server's certificate at (client) install time is not a problem because the installer can contact the server (by SSL) and get the server's public key (or the company's Root Certificate). After that the installer can show the certificate to the user for visual validation and this is secure enough.

What will happen after the server certificate (or the company CA) expires?
Or what will happen if the server certificate is accidentally changed?

What are the best practices to (automatically) update all clients with the new server SSL certificate (CA)? Having in mind that after installation the clients are background processes and the is not visual user interaction possible.

Of course the easiest way is to manually update all clients by the infrastructure administrator.

I'm wondering if there are some known good practices to automatically update the client's certificates without user intervention?

user291529
  • 31
  • 2

1 Answers1

0

Ideally, your server certificates should be issued and signed by a trusted root CA certificate with a long lifetime (10 to 20 years). Just the root CA certificate would be installed on the client end.

The server certificate itself, even if you update it every year, would not need to be propogated to clients since the root signed it and is trusted.

If you're using self-signed certificates, this is why they are generally frowned upon from a certificate management perspective. When they expire or change, you need everyone to update - otherwise you'll get browser security warnings.

Scott T.
  • 6,152
  • 1
  • 26
  • 32
  • Thank you Scott! What about this part of the question: "What are the best practices to (automatically) update all clients with the new server SSL certificate (CA)"? I mean after the Root CA expires or it is compromised what are the best practices to update automatically (without user intervention)? – user291529 Apr 21 '11 at 09:49
  • If the client software you're using supports "link certificates" then your clients can automatically trust the new root CA cert if they trust the existing one. A link certificate (at least a "forward link certificate") is a copy of the new root CA cert signed by the previous root CA signing key. The link cert is typically published in a directory server entry where the clients will know to check for it. You will need to check your software's documentation to see if it's supported, and if your CA software even supports the generation of link certificates. – Scott T. Apr 25 '11 at 00:23