I know nothing about certificates. How do certificates expire? Shouldn't they be renewed automatically?

Submitted by twovests in just_post

I understand a Certificate Authority issues a certificate saying "hey, this public key is the Real Deal." but that certificate expires, because it could be Dangerous if it didn't expire. So you gotta renew them peridoically!

That is the extents of my knowledge. The person at my work who is supposed to renew certs is on vacation and none of us know how to fix it. Oh no! This is just like what happened to Raddle.

So, I Googled a Solution to the Problem and am waiting for someone with permissions to come fix it. But, while waiting, I wonder... Why is this not automated? Turns out Big Sites have this issue too.

I don't mean this question critically, I mean it because I know jack sqack about certs. Is there a reason not to automatically renew them? Is there great difficulty there?

8

Comments

You must log in or register to comment.

cute_spider_ni_srsly wrote

I am pretty sure most certificates across most organizations are renewed automatically.

There might be a business reason that yours are not, or it might be a legacy reason.

3

emma wrote (edited )

Up until 2015 or so, you had to buy certificates from companies who made the process of renewing a cert miserable. When Let's Encrypt opened to the public, you'd typically install an ACME client on your server to handle the renewal automatically.

But as it turns out, sometimes your cron jobs break, and the sysadmin is too busy making jokes about poop to care about the expiry warning emails. This is what happened in the case of Raddle.

Also automatic cert issuing needs to verify site ownership, and this can break too (e.g. if a cert covers many (sub)domains, and one of these domains is removed).

7

twovests OP wrote (edited )

Replying to emma (#7,655)

ahh this makes sense. i appreciate the informative response :D

i believe my places sysadmin also had an overbearing obligation to make jokes about poop, it happens

4

voxpoplar wrote

Replying to emma (#7,655)

Also as I discovered at one point: Let's Encrypt certs only last a few months so even if auto-renewing is working make sure to actually restart your webserver every once in a while so it actually takes in the new cert when the cert is updated.

5