Google: Maintaining digital certificate security

Posted Mar 25, 2015 16:21 UTC (Wed) by josh (subscriber, #17465)
In reply to: Google: Maintaining digital certificate security by rich0
Parent article: Google: Maintaining digital certificate security

> My understanding is that you can't even issue a new key for a domain without paying them to revoke it.

No, you can get a new certificate issued at any time as long as you can prove domain ownership; you just can't get the old one revoked.

Google: Maintaining digital certificate security

Posted Mar 25, 2015 21:45 UTC (Wed) by mgedmin (subscriber, #34497) [Link] (2 responses)

I tried to get a new cert for one of my domains (to switch the hash to SHA-2), but StartSSL wouldn't let me. "The old cert is still valid", the website said, "you must (pay money to) revoke it first".

Google: Maintaining digital certificate security

Posted Mar 26, 2015 11:40 UTC (Thu) by nye (subscriber, #51576) [Link] (1 responses)

I have a number of their free certs which I habitually replace before they've expired (actual renewal is something they charge for, which is why I replace them). I've never had any problems with this, so I wonder if there might be some particular timeframe question - like they don't issue a new one if the old one still has >X days until it expires?

Google: Maintaining digital certificate security

Posted Mar 26, 2015 13:36 UTC (Thu) by mgedmin (subscriber, #34497) [Link]

Yes, exactly this. I forgot the specific timeframe, but it was a certain number of weeks until expiration (2? 6?).

Google: Maintaining digital certificate security

Posted Mar 26, 2015 14:29 UTC (Thu) by apoelstra (subscriber, #75205) [Link]

I encountered this too when I recently (this month) fat-fingered a cat command and overwrote my private key during the installation process. I thought it was a new policy, since I'd never had trouble with it before, but what others are saying about me just being nowhere near the expiration date makes more sense.