A web owner’s control over a digital certificate begins when they purchase the machine identity from a Certificate Authority (CA). However, your jurisdiction doesn't end there. Once you have full authority over your certificates, it is up to you to maintain it. Understanding exactly how certificate renewal, certificate reissue, and certificate revocation works will empower you to maintain your network’s security, reliability, and reputation.
How to request an SSL certificate renewal in 4 easy steps
- Generate a CSR. You must generate a new certificate signing request (CSR) from your CA's hosting control panel. You’ll need to provide contact information to validate domain ownership. Once you fill out every field, your host will provide you with a CSR code, which you will need to re-activate your certificate in the next step.
- Activate SSL certificate. Supply the information requested, including the CSR you acquired in the previous step. Wait for the CA to process your request and complete identity verification steps within the same amount of time that's required to handle a new certificate's CSR, as long as the owner's domain, organization name, and other submitted pieces of information have not changed.
- Complete domain control validation. Before your new certificate can be used, you’ll need to validate it. Domain control validation (DCV) ensures that you are who you say you are and that you own the domain you’re requesting a certificate for.
- Install SSL certificate. The purchaser’s certificate contact will receive the new SSL certificate from the CA (in .crt format). Install and configure your new SSL certificate before removing the old electronic document. If you’re requesting a new certificate from your host, your certificate should be added to your site automatically. If not, refer to your server’s documentation for uploading and placing your SSL certificate on your server.
When is the best time to apply for a certificate renewal?
Certificate renewal is the process by which a user purchases a new certificate for the same public key used in an expiring certificate. While certificates used to be valid for up to three years, as of September 2020 all SSL certificates will have a maximum lifespan of 13 months. While many experts have expressed concern over this change, shorter certificate validity periods are actually a good thing for security.
The best time to apply for an SSL certificate renewal is within the last quarter of the current certificates’ lifecycle so there is plenty of time for the renewal to be processed. This will ensure there is no downtime between validity, avoiding a potentially costly outage and maintaining user trust of your website’s reliability.
What is an SSL certificate reissue?
A certificate reissue (sometimes referred to as re-keying) is when a user generates a new private key and CSR for an existing certificate. As explained by DNSimple, users might need to proceed with the reissuing process if they lose or delete their private key, if they want to change any of their certificate information, or if they want to change the certificate's encryption level. Upon completion, the reissuing process produces a new digital certificate.
SSL certificate renewal vs SSL certificate revocation
When you renew a certificate, you do not need to revoke the old certificate. The old certificate will simply expire and then it will no longer be valid. Certificate revocation is not necessary during certificate renewals because the new SSL certificate maintains all the same characteristics as the one that it replaces, including the private key.
You should only revoke a certificate if you suspect its private key has been compromised. Certificate revocation will immediately invalidate an SSL certificate prior to its scheduled expiration and render it unusable. Generally, you would only revoke a certificate when its private key becomes unsafe, such as when a user shares the key on a public website or if hackers steal the key from a company's servers. But you may also wish to revoke a certificate when the domain for where it is being used is no longer operational.
Revoking the certificate for such instances cancels the certificate, thereby removing the HTTPS connection from the owner's domain. At this point the owner will have to reissue an SSL certificate to replace the revoked one.
Organizations should maintain accurate and up-to-date certificate revocation lists, a list of all digital certificates that have been revoked by the issuing CA and should no longer be trusted.
Certificate management requires automation and visibility
Certificate management can be highly complex depending on the number of machine identities in your network. Maintaining an inventory of all digital certificates’ locations, what they do, and when they expire is a lot of work. The efforts needed to keep track of all certificate renewals, reissues, and revocation is even greater. In most cases, manual certificate management is simply not feasible. These processes are tedious, repetitive, time-consuming, and highly prone to human error.
In the case of certificate management, even one tiny mistake can be disastrous. All it takes is one expired certificate to expose yourself to costly cyber-attacks, impact revenue, and even damage your reliability and reputation.
To properly manage digital certificates, automation is the only solution that streamlines the renewal, reissue, and revocation processes for machine identities. The Venafi Trust Protection Platform, optimized for machine identity management, was built just for this task. Secure your network against bad actors and eliminate certificate-related outages with the No-Outages Guarantee. Users can initiate certificate renewals, request a certificate reissue, and revoke certificates from a single portal.
(This blog has been updated. This was originally posted on July 2, 2021.)