The annoying timing of future SSL certificate renewals

December 28, 2009

One of the most annoying things about the whole ipsCA situation for me is what it's going to do to our SSL certificate renewal timing (ipsCA gave educational institutions free SSL certificates, so we have a bunch from them). In his entry about ipsCA, Bob Plankers commented:

It would also be nice to have all those SSL certificates co-terminate, so we can renew them all at once.

This is not an attractive idea for me. There's two problems with this, one general one and one specific to the timing of this situation.

The general problem is that SSL certificate changeovers are, well, changes. We generally don't like making a lot of changes at once, so a lot of SSL certificates expiring at once and having to all be changed at once is not something I consider a good thing. On the whole I would much rather have things spaced out, say one SSL certificate update a week, rather than having to do them all in a few days.

(This is especially the case as SSL certificate changes can involve service interruptions where we have to stop and restart daemons to get them to pick up new certificate information. If we have to do everything at once, that's a fairly big and user-visible interruption.)

The specific problem is that we will almost certainly wind up with a dozen or so SSL certificates that all expire in very early January. You know, right when the university comes back from Christmas vacation. A fire drill of SSL certificate updates right after a vacation is not really what I want, to put it one way; we often have enough problems to deal with as it is.

(I suppose that this problem is somewhat illusory, as we would almost certainly renew and change certificates in early December the next time we had to renew, eating the loss of a month of certificate time.)

While I'm on this issue, I really dislike how SSL certificate vendors issue SSL certs for exactly a year, instead of something handy like a year and a week. Since you need to get a new SSL certificate before your old one expires and SSL vendors generally don't let you pick the start date of your year, the net effect is that you never get a year's use out of your certificate; instead you get somewhat less, and ever year your renewal date creeps backwards by a week or two.

(This was acceptable with ipsCA's certificates, since they were free. It's annoying with certificates that we pay for.)

Comments on this page:

From at 2009-12-28 02:52:05:

If you can go with the same vendor as your old certificate, they will usually add the missing time to your next certificate. But only if you use the same CSR (therefore same private key) and you choose "renewal".

By cks at 2009-12-28 02:59:00:

Well, that's useful to know (I haven't exactly bought certificates recently), and an excellent reason for us to keep our CSRs around. Thank you.

Written on 28 December 2009.
« Some OpenSSL and SSL certificate basics
Solaris is not open source »

Page tools: View Source, View Normal, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Dec 28 02:17:22 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.