Does reissuing an SSL certificate invalidate the previously-issued certificate?

certificate ssl revoked

I used the "reissue certificate" functionality at a SSL certificate vendor (RapidSSL, FWIW) to get a new certificate - in doing so, I created and used a new private key and pass phrase.

Will the re-issuance of this certificate cause the previously-issued certificate to become invalid? If so, how long does that take?


Not automatically, for RapidSSL. For other vendors and/or certificate grades, it may be be automatic.

RapidSS don't automatically invalidate a certificate when it is re-issued, according to their Certificate Practice Statement. This would be a function of how much you pay for the certificate.

In section II.B.5 of the currently-google-able CPS:

GeoTrust will not revoke a Certificate previously issued following a refund or reissue request. A request for a refund or reissue of a Certificate will not be treated as a request by the Subscriber for revocation of a Certificate previously issued by GeoTrust unless the Subscriber follows the procedures for requesting revocation as stated at Section III.I. of this CPS.

In section III.I it says:

Certificate revocation is the process by which GeoTrust prematurely ends the Operational Period of a Certificate by posting the serial number of the Certificate to a Certificate Revocation List. A Subscriber shall inform GeoTrust and promptly request revocation of a Certificate:

  • whenever any of the information on the Certificate changes or becomes obsolete; or
  • whenever the Private Key, or the media holding the Private Key, associated with the Certificate is Compromised; or
  • upon a change in the ownership of a Subscriber's web server. Subscriber shall state the reason(s) for requesting revocation upon submitting the request.

Elsewhere it minimally promises that revoked certificates will be added to the CRL 'at least once a week'.

Reading the Certificate Practice Statement of any purchaser of SSL certificate services is a good thing for a buyer to do.


Yes, they will revoke the old certificate.

The way that SSL revocations works is that, inside the certificate, the vendor places a URL where the client (e.g. browser) should check if the certificate is still valid (called a CRL).

So there is no hard and fast answer to this, it depends on the client. In some cases, like this article, it suggests it won't be checked at all.

Related

How do I configure a location block to always return a single file in nginx?
Why do some connections time out and others get refused?
Taskset not working over a range of cores in isolcpus
Are there typically rate limits to querying DNS? [closed]
Run as a different user without a password from an elevated prompt in Windows
Install of MySQL hangs on Ubuntu 16.04
How do you manage Java in your Windows/Active Directory environment?
What are some useful utils when using Gentoo Linux?
Understanding this error: apr_socket_recv: Connection reset by peer (104)
Connect to multiple AP with one Wifi adapter under Linux/FreeBSD?
Determine process using a port, without sudo
What's the difference between `lsof -p <pid> | wc -l` and `ls /proc/<pid>/fd | wc -l`?