2

Often one hears about "renewing an SSL certificate" or "renewing an X.509 certificate", but I wonder what this actually means. Usually, step #1 of the renewal process is "generate a new CSR". Doesn't this mean that what is actually happening is that a new certificate is actually being issued, possibly with the same information (and maybe even the same public/private key pair) as the expired certificate?

Is anything guaranteed to stay the same when the certificate is renewed? The subject would have to stay the same (otherwise, how could it be considered the same certificate?), but what else?

Mark
  • 308
  • 1
  • 3
  • 11

1 Answers1

2

Generally, this means that a new certificate is issued, with the same common name / organizational details as the old certificate, but with a new expire date. There is nothing technically guaranteed to be the same (They could always just generate with a different CN and call it a renewal if they wanted to), but I wouldn't really consider that a renewal. The concept of a renewal is more for discounts or business/customer/sales reasons than anything technical.

Darth Android
  • 37,872
  • 5
  • 94
  • 112
  • So, what you're saying is that "certificate renewal" is a business operation, not a technology operation? – Mark Jan 28 '13 at 22:05
  • Correct. On the technical level, you're generating a new certificate signing request for a certificate, and the CA is signing it. There's no difference there than when you got it signed the first time. The price is usually much cheaper because the first time the CA does a whole bunch of background checks before they'll sign it, and they don't necessarily have to do those again since they already know that you're who you say you are. – Darth Android Jan 28 '13 at 22:08
  • *theoretically* does a whole bunch of background checks... – Mark Jan 28 '13 at 22:18