8

Im' renewing my certificate every year. Since I have to make a CSR, should I also renew my key pair at the same time, or is it ok to get a new cert with the same key ? Please supply any security standard backing up your answers.

As I'm now going to renew my SSL cert for my domain, and wonder which approach I should take.

Thanks.

Community
  • 1
sylye
  • 180
  • 1
  • 5
  • 1
    It's trivial to do so, so unless you really just don't want to, I'd just create a new private key and CSR. – Jared Farrish Dec 12 '11 at 07:52
  • You mean you would recommend to create a new private key every year while need to request for a new cert ? (Do you mean 'it's not trivial to do so' ?) Is there any security concern if we don't generate a new key ? –  Dec 12 '11 at 11:22
  • @user567761, I think he meant "it's trivial to do so". It may not be "trivial" as such to people who don't do it regularly, but most CAs will give you the command to type to create a CSR with new keys. If you follow their instructions, it shouldn't take more than 10 minutes every time you have to renew your certificate. – Bruno Dec 12 '11 at 11:26
  • As @Bruno states, it is fairly trivial to generate a private key and CSR once you've done it once or twice. We just "renewed" ours on two Tomcat servers, and it literally took a total of five minutes to complete from keystore/private key/CSR generation, to installing the signed cert. Restarting the services that use them took almost as long. I don't know of any reason to discard a previous private key, but it's not imperative to keep it, either. – Jared Farrish Dec 12 '11 at 11:34
  • For example, here is a [list of server instructions at GeoTrust](http://www.geotrust.com/support/generate-csr/) that provides all of the commands/instructions needed. – Jared Farrish Dec 12 '11 at 11:41

1 Answers1

11

Reasons to Regenerate

  1. In case there was a private key compromise you didn't know about
  2. If you are renewing your cert, why not?

Reasons to Not Regenerate

  1. Adds little (if any) extra protection

  2. As CA compromises become more common-place browser plugins are remembering visited site's certificate fingerprints in order to check for changes (a type of anomaly detection). Changing your key will change the fingerprint.

  3. Unnecessary work

This was the best I could come up with. I think solely for #2 on the Not list, I wouldn't do it. You can look at these though and weigh the reasons given your specific setup.

If anyone else has any to add, let me know.

mikeazo
  • 2,827
  • 13
  • 29
  • hi mikeazon, by not regenerating the private key, you mention it will 'Adds little (if any) extra protection', why is it so? Mind to elaborate more ? – sylye Dec 14 '11 at 03:51
  • 3
    @mikeazo: the "fingerprint" used by browsers is a hash on the certificate, not on the public key only. In the envisioned scenario, a new certificate is obtained (with at least new validity dates) so the fingerprint is always changed anyway. – Thomas Pornin Dec 25 '11 at 22:38
  • @ThomasPornin, good point. I hadn't thought about that. – mikeazo Dec 26 '11 at 13:18
  • On that note, if not in the browser environment, certificate/key management might come into play (openvpn all certs are pinned for example?) – ewanm89 Apr 20 '12 at 14:01
  • @sylye "_Mind to elaborate more ?_" Think about it: is the old cert still valid? – curiousguy Jul 26 '12 at 19:33