1

I've a question regarding https certificate changes. Does anyone know any side-effects to changing the certificate, one signed with RSASHA1 to one signed with RSASHA256 for ex, while users already have established secure channels with the old certificate?

I imagine new users, that are just establishing their secure channels, would just pickup the new certificate, and perform key exchange using its public key, but what about users that already have their SSL handshake and key exchange performed with the old one, and for some reason their secure channel needs to be re-established, and the new one is picked up. During the re-establishment is it practically a whole new SSL handshake, with no dependency on the old one?

Also, I've a smaller question regarding certificate pinning. If the new certificate is signed with a different algorithm (RSASHA256 in my example), is the certificate pinning process the same on all clients (browsers)? What I'm, particularly curious is, will the pinning of the root certificate, which I'm assuming is new and hasn't been pinned out-of-band, ask for any user involvement? Or will it always be done automatically, with no awareness from the user of the browser? And how much of risk is this, if the certificate pinning process is tainted with a man-in-the-middle attack?

M'vy
  • 13,053
  • 3
  • 48
  • 69

1 Answers1

1

The change of a certificate in a web-server is not just a basic configuration setting. For example, changing a certificate for a website on apache requires a full restart.

This means that the established connections will be cut off by the restart anyway. Suppose you do this fast enough, subsequent request from user that were using your website will have to renegotiate their sessions (since the server will have forgotten them). So they will be served the new certificate from now on.

Certificate pinning is by definition a client-side action (see What is certificate pinning?) change of certificate will require a change of the pin (unless you pinned the signing certificate that issues your keys).

M'vy
  • 13,053
  • 3
  • 48
  • 69