1

Say I am using a trusted third party CA site to manage my cert. I created a new cert called CertA at the CA web interface, downloaded the signed cert and use it on my web server. Some time later I found some errors with my web application after implementing CertA. So I saved it's cert.db and key.db and proceed to reissue a new cert called CertB and install it on my web server.

The question now is this: If I want to use CertA again, can I just do it by copying back my saved key.db and cert.db and leave the record at the CA as CertB? OR does it need to be "synced" at the CA as well? That is, my web server holds CertA, and the CA site hold CertA as well.

schroeder
  • 125,553
  • 55
  • 289
  • 326
JinPangPang
  • 1,931
  • 2
  • 16
  • 27

1 Answers1

3

In short: You can just start using CertA again, until its expiry date, as the CA is not directly involved when certificates are used.

The CA is not directly involved in your use of certificates, unless you revoked the certificate CertA. Revocation means that you go to the CA and explicitly tell them "The certificate CertA was compromised.". There is usually some kind of section on the CA website to do that. They will then revoke the certificate, which means that it announces to browsers that the certificate is no longer secure (through several different means, CRL and OCSP are keywords you want to look for to learn more).

So, assuming you didn't revoke CertA explicitly, you can use it again.

edit:
Note that there are some edge cases where a scenario similar to yours exists, where a specific certificate/set of certificates is identified as the only valid one for a domain or server. If you want to implement this, there are multiple ways to do it (DANE, certificate pinning, and approaches using browser extensions like CertificatePatrol or convergence), but all of them are very much experimental at the moment, and I'd say it is unlikely that this will change in the near future. You can find more information at OWASP and this question on certificate pinning.

  • Ok Thanks. I always thought that somehow there is a connection back to the CA repository to verify cert information every time there is SSL connection. ( OCSP???). – JinPangPang Aug 12 '15 at 04:44
  • 2
    @PangSerLark: there are such requests but they only check if the certificate is not revoked. Unless you or the CA did not only create a new certificate but also revoked the old certificate the old certificate is still valid. If a revocation was done is not visible from the information you have provided. – Steffen Ullrich Aug 12 '15 at 05:14
  • 1
    @PangSerLark as Steffen writes, OCSP is only for revocation, but in addition it is not enabled by default in most clients. The way OCSP works is that the CA maintains a list of certificates that are in use (using the serial number in the certificate), and removes certificates from the list when a certificate is revoked. OCSP only verifies whether a certificate is on the list. It is possible to explicitly mark a specific certificate as the only valid one, but this is not common practice. I'll add a bit to my answer, though. – Rens van der Heijden Aug 12 '15 at 06:27
  • lol i just got a reply from the CA support that I need to generate CSR and reissue cert. – JinPangPang Aug 12 '15 at 08:24