Description

Certificate renewal is the update of an existing soon-to-expire or expired certificate with one that valid and has a future expiration date.    Certificates have expiration dates embedded within them that ensure that they are refreshed on a regular basis, as stagnant or static are susceptible to exploitation and brute force hacking.  Refreshing a certificate ensures that content is encrypted and safe from interception or prying-eyes. 

The process of "renewing" a certificate has changed over time, requiring the renewal process happen more frequently and ensuring that all components of the certificate chain are updated or replaced as well. 

Current Requirements

The current certificate renewal process involves the complete replacement of the certificate and private key.  Private key reuse is no longer supported.   A new certificate signing request (CSR) must be generated for each certificate renewal that includes a new private key (usually part of the CSR creation process).

Table of Contents

1. Monitor your certificates expiration date.
   Check out these resources and ideas: (DC) Certificate Monitoring
    

2. Renew your certificates promptly and in advance.
   Never assume that the process is fast or even available.
   Certificate expiration is 100% avoidable.
   Check out the processes for requesting certificate:  (DC) SSL Certificates
     

3. Certificate Renewal should not be a manual process, as it was in the past, instead, with the window of validity of certificates growing shorter and shorter.  Should this process be continued to be done manually, it will become a very tedious and labor expensive task.  Review the options available to automate the certificate renewal process and remove the need to worry about it.  Make you task only to verify that a site, service or application is running properly and certificates are regularly being renewed.
   Check out these resources: (DC) Certificate Automation

Resources

Historical / Evolution

Cryptographic protocols, the process of securing information in transit between computers utilizes a system of private and public cryptographic keys, better known today as Secure Sockets Layer (SSL) Certificates.   These protocols were designed out of a need to process financial transactions over the internet, which we rarely think about in today's very easy and very convenient online shopping and commerce.   Many people do not realize the amount of work that goes into the process, the upkeep, and the constant battle of the good guys -vs- the bad guys, also known as the constant "game" of leap frog.

A little bit of confusion

Open

In the nineties, and through the early 21st century, the process of the cryptographic protocols had a lot of growing pains.   It was the "new" thing, so everyone was a piece of the action, and be crowned with the "we did that".   SSL v1.0 (developed by Netscape) was a disaster, as never really saw the light of day.  SSL v2.0 came out in 1995, and was used for about a year, before the bad-guys found ways to crack and expose information thought to be secure (leap frogged over Netscapes efforts).   Microsoft threw their towel into the ring, with their effort of PCT (Private Communication Technology) protocol, but it did not gain any traction, and was only found supported in the earlier IE and IIS client/server software.

In 1999, Netscape released SSL v3.0 in 1996; which was successfully used until 1999 with the introduction of TLS (Transport Layer Security) v1.0, almost identical to SSL v3.0 (sometimes known as SSL 3.1), but was a compromise to satisfy the fierce competition between Microsoft and Netscape.   The group known as IETF (Internet Engineering Task Force); still in effect today, is the industry, public and international governing committee that works on TLS/SSL and various other protocols (NTP, routing protocols, etc..)

Evolution

Open

SSL/TLS certificates in the very beginning were scarce as only the wealth companies dipping their toes into internet commerce could afford the ability to own these certificates from Certificate Authorities who were charging an arm-and-a-leg.  However, due to the demand and the need for companies and organizations to secure their online activities, new Certificate Authorities were born and the process of issuing those certificates became faster and cheaper.   As goes most things, as the target pool grew to those with the desire to compromise and gain wealth unethically was also on the rise.  

From what people knew as the web or the internet, soon became the well known acronym HTTPS.  If you (the company, site, etc..) did not have it, you could not be trusted with your customer's information.

Leapfrog

Open

Many of the attacks and malicious advances where in the form of exploits called "main-in-the-middle" attacks, enabling an adversary to decrypt traffic between a client and server, with vulnerable versions of the protocols.  

When the good-guys would leapfrog over the bad-guys making it harder for them, the bad-guys took a different approach, and in came phishing, spoofing and identity attacks.   So the good-guys responded with Extended Validation certificates allowed companies to provide reasonable assurance to the public that the website they’re accessing was indeed who they said they were and verifiable.  Media advertisements made the green check mark ( ) famous.   Since, it has gone to the wayside, in favor of other methods (see below).

As with most technology, the evolution of the web was moving faster and faster, and the number of cyber-attacks were able to keep pace with the with the advancements in security, thus new approaches, large scale adoption of encryption, and awareness was needed. 

Industry leaders like Google, Microsoft, Apple, Facebook, Mozilla and many others became huge advocates of the HTTPS adoption, awareness training, and employees of many of the companies worked tirelessly to help find remedies to the exploits the bad-guys were using.    The companies helped form the open-source certificate authority that brought free Domain Validation SSL certificates and automated issuance to everyone.  

SSL certificates moved from a incentive of search engine results to absolute necessity, where insecure sites results would not get shown unless the defaults were overridden.   Modern web-browsers added detection of websites without SSL certificates or old versions of protocols, and alerted the end-user to not proceed, as the communication would not be secure and the session could be illegitimate or malicious. 

Current State

With SSL Certificates, HTTPS, and secure communication as the new norm and digital security (as of 2022) is more secure, the creativity of the malicious actors has become apparent, attacking not just the digital aspect of communication, but the human side, with well-known methods of phishing and spoofing, but also ransomware and attacking different and more vulnerable older-age groups.  TLS/SSL digital security can only data in transit, so we have to make people more awareness of attack types and ways to avoid them and are still the best efforts to thwart these types of attacks and unethical behavior.

Efforts to validate companies and individuals is becoming a necessity, thus the evolution of two-factor (2FA) and multi-factor authentication (MFA) are also becoming ubiquitous and now required for just about every website that requires authentication.   

In addition, to avoid the in transit issues, companies, organization and many others are adopting virtual private networks (VPN) to remove the traffic from the public view (even if encrypted).    Shaming due to slow adoption and use of weak protocols is growing in popularity and these companies and organizations are scrambling to fix it or lose their customers faith in their ability to protect their information and lose them as customers or members. 

You can view the progress of the adoption of the latest TLS (v1.3) and the reduction in the use of weak protocols can be found via the global dashboard called: SSL Pulse. 

What is next?

There are a lot of efforts to improve authenticity and security within the online world.   It is impossible to list all the efforts or the efforts starting tomorrow.   We have to ditch the old ways, get faster about adopting new technologies, new security protocols, get better about training our older generation and new generation of humans to ensure that we continue to stay secure online.

As of 2022:

• Blockchain (a database structure that stores information in batches called blocks, linked sequentially to form a chain of blocks. Each chain is a public ledger where transactions are recorded and confirmed anonymously.)  As a harder to crack security method, many believe that that it might replace SSL certificates. 

• Quantum computing.

• Neural-networks and artificial intelligence