A web owner’s control over a digital certificate begins when they purchase the machine identity from a Certificate Authority (CA). However, your jurisdiction doesn't end there. Once you have full authority over your certificates, it is up to you to maintain it. Understanding exactly how certificate renewal, certificate reissue, and certificate revocation works will empower you to maintain your network’s security, reliability, and reputation.
When is the best time to apply for a certificate renewal?
Certificate renewal is the process by which a user purchases a new certificate for the same public key used in an expiring certificate. While certificates used to be valid for up to three years, as of September 2020 all SSL certificates will have a maximum lifespan of 13 months. While many experts have expressed concern over this change, shorter certificate validity periods are actually a good thing for security.
The best time to apply for an SSL certificate renewal is within the last quarter of the current certificates’ lifecycle so there is plenty of time for the renewal to be processed. This will ensure there is no downtime between validity, avoiding a potentially costly outage and maintaining user trust of your website’s reliability.
How to request a certificate renewal in 4 easy steps:
- Generate a new certificate signing request (CSR) from your CA's hosting control panel
- Wait for the CA to process your request and complete identity verification steps within the same amount of time that's required to handle a new certificate's CSR, as long as the owner's domain, organization name, and other submitted pieces of information have not changed.
- The purchaser’s certificate contact will receive the new SSL certificate from the CA
- Install and configure your new SSL Certificate before removing their old electronic document.
What is an SSL Certificate Reissue?
A certificate reissue (sometimes referred to as re-keying) is when a user generates a new private key and CSR for an existing certificate. As explained by DNSimple, users might need to proceed with the reissuing process if they lose or delete their private key, if they want to change any of their certificate information, or if they want to change the certificate's encryption level. Upon completion, the reissuing process produces a new digital certificate.
What is Certificate Revocation and Why Is It Important?
Certificate revocation allows web owners to immediately invalidate an SSL certificate prior to its scheduled expiration. The most common reason for this is when a certificate's private key becomes unsafe, such as when a user shares the key on a public website or if hackers steal the key from a company's servers.
Revoking the certificate for such instances cancels the certificate, thereby removes the HTTPS connection from the owner's domain. At this point the owner will have to perform an SSL Certificate Reissue, as described above.
Organizations should maintain accurate and up-to-date certificate revocation lists, a list of all digital certificates that have been revoked by the issuing CA and should no longer be trusted.
Certificate management requires automation and visibility
Certificate management can be highly complex depending on the number of machine identities in your network. Maintaining an inventory of all digital certificates’ locations, what they do, and when they expire is a lot of work. The efforts needed to keep track of all certificate renewals, reissues, and revocation is even greater. In most cases, manual certificate management is simply not feasible. These processes are tedious, repetitive, time-consuming, and highly prone to human error.
In the case of certificate management, even one tiny mistake can be disastrous. All it takes is one expired certificate to expose yourself to costly cyber-attacks, impact revenue, and even damage your reliability and reputation.
To properly manage digital certificates, automation is the only solution that streamlines the renewal, reissue, and revocation processes for machine identities. The Venafi Trust Protection Platform, optimized for machine identity management, was built just for this task. Secure your network against bad actors and eliminate certificate-related outages with the No-Outages Guarantee. Users can initiate certificate renewals, request a certificate reissue, and revoke certificates from a single portal.
(This blog has been updated. This was originally posted on July 2, 2021.)