When you reissue an SSL/TLS certificate through providers like RapidSSL, the process involves generating a new public/private key pair and obtaining fresh certificate files. Importantly, this action does not automatically revoke the previously issued certificate unless explicitly requested during the reissuance process.
The validity of both certificates depends on several technical factors:
- Certificate Revocation List (CRL): The original certificate remains valid until it appears in the CRL
- OCSP Stapling: Browsers will check the certificate's revocation status through OCSP
- CA Policy: Some CAs automatically revoke previous certificates when reissuing
If revocation does occur (either manual or automatic), the propagation typically follows this timeline:
0-1 hour : CA updates internal revocation databases
1-4 hours : CRL updates propagate to intermediate servers
4-24 hours : Full propagation to end-user clients (varies by browser)Here's how to programmatically check a certificate's revocation status using OpenSSL:
openssl s_client -connect example.com:443 -servername example.com < /dev/null 2>/dev/null \
| openssl x509 -text -noout | grep -A 1 "CRL Distribution Points"
# Or for OCSP check:
openssl s_client -connect example.com:443 -status < /dev/null 2>/dev/null \
| grep -A 17 "OCSP response:"When reissuing certificates:
- Always assume a 24-hour overlap period where both certs might work
- For critical systems, manually revoke old certificates after confirming new ones work
- Use certificate transparency logs to monitor changes (https://crt.sh)
- Consider implementing certificate pinning for sensitive applications
The behavior varies across platforms:
- NGINX/Apache: Both certificates can coexist until restart
- Load Balancers (AWS ALB): Certificates are versioned and can run simultaneously
- Kubernetes Ingress: Secret updates trigger immediate replacement
html
When you reissue an SSL certificate through providers like RapidSSL, the behavior depends on the Certificate Authority's (CA) policies and your specific actions. The critical factor is whether you requested revocation of the old certificate during the reissuance process.
Most CAs (including RapidSSL) follow these patterns:
- Simply reissuing a certificate does not automatically revoke the previous one
- Both certificates remain technically valid until their expiration dates
- The old certificate can still be used unless explicitly revoked
Revocation typically happens in these scenarios:
// Example of checking certificate validity in Node.js
const https = require('https');
const options = {
host: 'example.com',
port: 443,
method: 'GET',
checkServerIdentity: (host, cert) => {
// Verify certificate hasn't been revoked
const currentDate = new Date();
if (new Date(cert.valid_to) < currentDate) {
throw new Error('Certificate expired');
}
// Additional OCSP or CRL checks would go here
}
};
To properly handle certificate transitions:
- Always revoke old certificates when reissuing
- Use certificate transparency logs to monitor your certificates
- Implement proper OCSP stapling on your servers
Consider this Apache configuration snippet for handling multiple certificates:
<VirtualHost *:443>
SSLEngine on
# Old certificate (still valid unless revoked)
SSLCertificateFile /path/to/old_cert.pem
SSLCertificateKeyFile /path/to/old_key.key
# New certificate
SSLCertificateFile /path/to/new_cert.pem
SSLCertificateKeyFile /path/to/new_key.key
# OCSP settings for revocation checking
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling_cache(128000)"
</VirtualHost>
Use OpenSSL to verify certificate status:
openssl s_client -connect example.com:443 -servername example.com -showcerts </dev/null 2>/dev/null | openssl x509 -noout -datesFor revocation status specifically:
openssl s_client -connect example.com:443 -status </dev/null 2>/dev/null | grep -A 17 "OCSP response"When rotating certificates:
- Maintain both certificates for at least 24-48 hours
- Monitor traffic to ensure all clients have switched to the new cert
- Only revoke the old certificate after confirming successful transition