Wandering Thoughts archives

2009-12-28

The annoying timing of future SSL certificate renewals

One of the most annoying things about the whole ipsCA situation for me is what it's going to do to our SSL certificate renewal timing (ipsCA gave educational institutions free SSL certificates, so we have a bunch from them). In his entry about ipsCA, Bob Plankers commented:

It would also be nice to have all those SSL certificates co-terminate, so we can renew them all at once.

This is not an attractive idea for me. There's two problems with this, one general one and one specific to the timing of this situation.

The general problem is that SSL certificate changeovers are, well, changes. We generally don't like making a lot of changes at once, so a lot of SSL certificates expiring at once and having to all be changed at once is not something I consider a good thing. On the whole I would much rather have things spaced out, say one SSL certificate update a week, rather than having to do them all in a few days.

(This is especially the case as SSL certificate changes can involve service interruptions where we have to stop and restart daemons to get them to pick up new certificate information. If we have to do everything at once, that's a fairly big and user-visible interruption.)

The specific problem is that we will almost certainly wind up with a dozen or so SSL certificates that all expire in very early January. You know, right when the university comes back from Christmas vacation. A fire drill of SSL certificate updates right after a vacation is not really what I want, to put it one way; we often have enough problems to deal with as it is.

(I suppose that this problem is somewhat illusory, as we would almost certainly renew and change certificates in early December the next time we had to renew, eating the loss of a month of certificate time.)

While I'm on this issue, I really dislike how SSL certificate vendors issue SSL certs for exactly a year, instead of something handy like a year and a week. Since you need to get a new SSL certificate before your old one expires and SSL vendors generally don't let you pick the start date of your year, the net effect is that you never get a year's use out of your certificate; instead you get somewhat less, and ever year your renewal date creeps backwards by a week or two.

(This was acceptable with ipsCA's certificates, since they were free. It's annoying with certificates that we pay for.)

sysadmin/SSLCertificateTiming written at 02:17:22; Add Comment


Page tools: See As Normal.
Search:
Login: Password:
Atom Syndication: Recent Pages, Recent Comments.

This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.