How long does it take to renew an SSL certificate?

ssl ssl-certificate

I rent a managed dedicated server from a hosting company. A year ago, they added SSL support to one of my domains at my request.

Last night, however, the certificate expired:

yourdomain uses an invalid security certificate.

The certificate expired on April 9, 2016 at 03:33. The current time is April 9, 2016 at 10:00.

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

I have little trust for this particular hosting company as they have shown a pattern of making errors, this being the latest example.

I created a ticket with their support and they are telling that:

  • They have "requested the certificate be re-issued using the same private key" (at Geotrust.)
  • That "this may take up to 12 hours to appear"

My questions are:

  1. What are the steps involved in renewing a certificate? Is it simply a) Get new certificate from certificate provider b) Install new certificate on server?
  2. How long does it usually take?

To clarify: my host is usually very slow in getting things done. I want to be able to check on this certificate renewal and ensure it is performed in a timely fashion because hundreds of paying customers are currently unable to access the site.


Solution 1:

If your certificate is expired, you have to renew it and the process of renewing SSL will be the same as you initially purchase the certificate. Now, the time factor depends upon the type of validation certificate that you go with. For example, domain validation certificate takes few minutes in issuance while business validation certificate takes up to 2 business days and extended validation (EV) certificate takes up to 7 business days for verification and issuance.

The process of renewal includes generate the CSR, get a new certificate and finally install the certificate on your desired server.

As you stated that, your hosting provider is not up to the mark you can also renew the certificate directly from CA or its authorized re-seller. Generally, re-sellers would cost less compare to direct CA and offers huge discount as well.

Solution 2:

This will depend, especially for the worst-case, on the type of certificate in combination with how often the CA re-validates the certificate subject information for renewals.

First of all, if the CA has current enough validated information they may just sign the new certificate immediately.

If it's a domain-validated certificate (where the CA only validates that the certificate is issued to someone in control of the domain name, and where the cert doesn't really contain any information beyond the hostname it is valid for), the CA's part of this bare-minimum (re-)validation is typically automated and quick.

However, if it's a certificate that includes information about who the subject actually is, where the EV (Extended Validation) type of cert is the extreme case, the (re-)validation of subject information and ensuring that the claimed subject is actually the requester tends to involve a number of manual and often time-consuming steps. (In that case 12h is quite possibly too short.)

Once the CA has signed the certificate it's just a matter of configuring your web server to use the new certificate (along with any relevant intermediate certificates), which is just a quick routine thing to do.

Related

HP Proliant cannot find Seagate SATA HDD
Exchange Server 2016 on Windows Server 2016 Technical Preview 4 [closed]
How much hard drive space to install MYSQL, PHP7 & nginx? [duplicate]
Choosing a Server Chassis based on Server Board's Requirements [closed]
Two files, same permissions, Apache says one is forbidden
NGINX Redirect to Cached File in Subfolder
tcpdump - shows VLAN tag, but filtering doesn't work?
Adding volume to docker database breaks container
How can DHCPv6 server allocate fixed IPv6 addresses to clients if it's not allowed to interpret DUID?
Linux file-handle (pipe) leak in WildFly 12+
vCenter 7: Catalina Logs filing up, tomcat-users.xml missing?
/etc/login.defs settings not taken into account: password aging