Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi All,
May I know what are the security risks if we do not renew(regenerate) the ssl certificates. Because one of our web server's ssl certificates has already expired. So should we regenerate the new ssl certificates in the server or is it okay even we run with expired ssl certificates.
1. certificates are designated to identify the server.
2. the certificate identifies the duration of the validity of the identification.
3. expired certificates should be useless - the original web server/company may have died and the server now under the control of criminals.
Hi All,
May I know what are the security risks if we do not renew(regenerate) the ssl certificates. Because one of our web server's ssl certificates has already expired. So should we regenerate the new ssl certificates in the server or is it okay even we run with expired ssl certificates.
You say "regenerate"...are you using self-signed certificates??? If so, you're asking your users to trust your website, which they may not do. You don't provide details about your site or who's using it...if it's for internal use, then self-signed is pretty much all you'd need. If it ISN'T internal use only, then you really should get a certificate from a commercial certificate vendor. jpollard explained the security risks nicely.
---------- Post added 02-09-15 at 09:13 AM ----------
Quote:
Originally Posted by veerain
You should renew. Thats what expire of certificates is used. Security aware guys won't trust the expired certificate.
...and this doesn't answer the OP's question as to HOW this is a security vulnerability.
Hi jpollard and TB0ne,
Thanks for your kind reply.
Sorry, I didn't provide you more details. One of our internal(local only) web server's ssl certificates are already(2 months back) expired. The publicly facing web server's ssl certificates are going to expire in another 40 days and hope this will take care by existing web host vendor or as per Guru(TB0ne) suggestion, we will contact the commercial certificate vendor.
But if it is local only web server then it is not required in contacting the commercial certificate vendor and just self singed ssl certificates are enough. Isn't it?
I could understood the first 2 points of jpollard, but still the 3rd point is confusing.
Quote:
3. expired certificates should be useless - the original web server/company may have died and the server now under the control of criminals.
Its really appreciated if you could give more details/any url links for the same which can explain with some more details.
And also request you to provide url link by which I can follow the same to setup local only https server in the proper way.
The "useless" is that the certificate is identifying the server. Some clients will (depending on configuration) reject certificates when they have expired, as the validation of the server is no longer present.
Things are still encrypted, but now the server can be suspect as it no longer presents valid credentials.
The way most servers use PKI is that the site gets a long term certificate (5 years or so). This certificate is then used to create a server certificate for use. Normally, this use is limited to 1 year (in some cases less), and is only issued after the server has passed a security check and is re-authorized by the site to provide services. The advantage of the certificate is that it gives the site management control over how it is represented, and it allows a server certificate to be revoked if something happens... This in turn gives the client users assurance that security of the service is being maintained.
To the public, the server certificate presents a traceback that can be checked to see if the credentials that the server presented are valid - the cert is unexpired, and has not been revoked.
Why do you create certificates which expire after sometime? Do you have reason? Or just you do out of common practice.
Why certificates are renewed. Because the user would have to check the credentials of certificate owner again after expiration. Periodic renewal and checking of certificates is a security measure.
Reasons:
1) The owner asserts form the start he doesn't cares about use of this certificate after expiry.
2) If certificate has been broken by someone, then after expiry he can't continue exploiting.
3) You want to periodically update certificate which has newer strong and powerful cryptographic abilities.
4) Some new kind of crypto has replaced current practice.
Hi jpollard and TB0ne,
Thanks for your kind reply.
Sorry, I didn't provide you more details. One of our internal(local only) web server's ssl certificates are already(2 months back) expired. The publicly facing web server's ssl certificates are going to expire in another 40 days and hope this will take care by existing web host vendor or as per Guru(TB0ne) suggestion, we will contact the commercial certificate vendor.
But if it is local only web server then it is not required in contacting the commercial certificate vendor and just self singed ssl certificates are enough. Isn't it?
Certificates aren't REQUIRED at all...you could run any website without them. It's just BETTER to have them. If you have a local-only webserver (internal use, as you said), then self-signed certificates are acceptable (in my opinion). Your company's employees should be able to accept the local certificate, and move on.
Quote:
I could understood the first 2 points of jpollard, but still the 3rd point is confusing.
Simple...what's to stop anyone, anywhere, from approaching verisign and registering a certificate for your domain name? As long as they pay, that certificate is valid. So if your external certificate expires, a third-party COULD do bad things by knowing this.
Quote:
Its really appreciated if you could give more details/any url links for the same which can explain with some more details. And also request you to provide url link by which I can follow the same to setup local only https server in the proper way.
There are many which you can find with a Google search...read the "Question Guidelines" link in my posting signature. Asking people to look things up for you isn't a good thing. Also, you provide NO details about your 'local only https server', such as version/distro of Linux, what web server it's running, etc., which would help us answer you.
Why do you create certificates which expire after sometime? Do you have reason? Or just you do out of common practice.
You do this because it's a good security practice...if you don't know why, please look it up.
Quote:
Why certificates are renewed. Because the user would have to check the credentials of certificate owner again after expiration. Periodic renewal and checking of certificates is a security measure.
...which answers your first question of "Why do you create certificates which expire?", doesn't it?
Quote:
Reasons:
1) The owner asserts form the start he doesn't cares about use of this certificate after expiry.
If they did, they'd have renewed it, right?
Quote:
2) If certificate has been broken by someone, then after expiry he can't continue exploiting.
If the certificate had been 'broken', then the new one could be too, so there's not much help there.
Quote:
3) You want to periodically update certificate which has newer strong and powerful cryptographic abilities.
4) Some new kind of crypto has replaced current practice.
Sorry, wrong...certificates signers use a standard public/private key setup.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.