Home / server / Questions / 397742
In Process
Cooper
Asked: 2012-06-12 13:59:39 +0800 CST

Does reissuing an SSL certificate invalidate the previously-issued certificate?

  • 772

I used the "reissue certificate" functionality at a SSL certificate vendor (RapidSSL, FWIW) to get a new certificate - in doing so, I created and used a new private key and pass phrase.

Will the re-issuance of this certificate cause the previously-issued certificate to become invalid? If so, how long does that take?

ssl certificate revoked

2 Answers

  1. Not automatically, for RapidSSL. For other vendors and/or certificate grades, it may be be automatic.

    RapidSS don't automatically invalidate a certificate when it is re-issued, according to their Certificate Practice Statement. This would be a function of how much you pay for the certificate.

    In section II.B.5 of the currently-google-able CPS:

    GeoTrust will not revoke a Certificate previously issued following a refund or reissue request. A request for a refund or reissue of a Certificate will not be treated as a request by the Subscriber for revocation of a Certificate previously issued by GeoTrust unless the Subscriber follows the procedures for requesting revocation as stated at Section III.I. of this CPS.

    In section III.I it says:

    Certificate revocation is the process by which GeoTrust prematurely ends the Operational Period of a Certificate by posting the serial number of the Certificate to a Certificate Revocation List. A Subscriber shall inform GeoTrust and promptly request revocation of a Certificate:

    • whenever any of the information on the Certificate changes or becomes obsolete; or
    • whenever the Private Key, or the media holding the Private Key, associated with the Certificate is Compromised; or
    • upon a change in the ownership of a Subscriber's web server. Subscriber shall state the reason(s) for requesting revocation upon submitting the request.

    Elsewhere it minimally promises that revoked certificates will be added to the CRL 'at least once a week'.

    Reading the Certificate Practice Statement of any purchaser of SSL certificate services is a good thing for a buyer to do.

    • 9

  2. Yes, they will revoke the old certificate.

    The way that SSL revocations works is that, inside the certificate, the vendor places a URL where the client (e.g. browser) should check if the certificate is still valid (called a CRL).

    So there is no hard and fast answer to this, it depends on the client. In some cases, like this article, it suggests it won't be checked at all.

    • 3