Hi All,
May I know what are the security risks if we do not renew(regenerate) the ssl certificates. Because one of our web server's ssl certificates has already expired. So should we regenerate the new ssl certificates in the server or is it okay even we run with expired ssl certificates.

I asked google and it returned tons of links with explanations

You should renew. Thats what expire of certificates is used.

Security aware guys won't trust the expired certificate.

1 members found this post helpful.

Thanks for the reply. Also I wanted to know what security risk and how?

Is the web server facing the internet?

It is the weap point of PKI.

1. certificates are designated to identify the server.
2. the certificate identifies the duration of the validity of the identification.
3. expired certificates should be useless - the original web server/company may have died and the server now under the control of criminals.

1 members found this post helpful.

You say "regenerate"...are you using self-signed certificates??? If so, you're asking your users to trust your website, which they may not do. You don't provide details about your site or who's using it...if it's for internal use, then self-signed is pretty much all you'd need. If it ISN'T internal use only, then you really should get a certificate from a commercial certificate vendor. jpollard explained the security risks nicely.

---------- Post added 02-09-15 at 09:13 AM ----------

...and this doesn't answer the OP's question as to HOW this is a security vulnerability.

1 members found this post helpful.

If I go to a site and the browser gives me a warning that the server has an invalid certificate, I generally close that tab and go elsewhere!

silly me. Ignore this useless post.

Hi jpollard and TB0ne,
Thanks for your kind reply.
Sorry, I didn't provide you more details. One of our internal(local only) web server's ssl certificates are already(2 months back) expired. The publicly facing web server's ssl certificates are going to expire in another 40 days and hope this will take care by existing web host vendor or as per Guru(TB0ne) suggestion, we will contact the commercial certificate vendor.
But if it is local only web server then it is not required in contacting the commercial certificate vendor and just self singed ssl certificates are enough. Isn't it?

I could understood the first 2 points of jpollard, but still the 3rd point is confusing.
Its really appreciated if you could give more details/any url links for the same which can explain with some more details.
And also request you to provide url link by which I can follow the same to setup local only https server in the proper way.

Once again thank you both.

The "useless" is that the certificate is identifying the server. Some clients will (depending on configuration) reject certificates when they have expired, as the validation of the server is no longer present.

Things are still encrypted, but now the server can be suspect as it no longer presents valid credentials.

The way most servers use PKI is that the site gets a long term certificate (5 years or so). This certificate is then used to create a server certificate for use. Normally, this use is limited to 1 year (in some cases less), and is only issued after the server has passed a security check and is re-authorized by the site to provide services. The advantage of the certificate is that it gives the site management control over how it is represented, and it allows a server certificate to be revoked if something happens... This in turn gives the client users assurance that security of the service is being maintained.

To the public, the server certificate presents a traceback that can be checked to see if the credentials that the server presented are valid - the cert is unexpired, and has not been revoked.

Why do you create certificates which expire after sometime? Do you have reason? Or just you do out of common practice.

Why certificates are renewed. Because the user would have to check the credentials of certificate owner again after expiration. Periodic renewal and checking of certificates is a security measure.

Reasons:

1) The owner asserts form the start he doesn't cares about use of this certificate after expiry.

2) If certificate has been broken by someone, then after expiry he can't continue exploiting.

3) You want to periodically update certificate which has newer strong and powerful cryptographic abilities.

4) Some new kind of crypto has replaced current practice.

Certificates aren't REQUIRED at all...you could run any website without them. It's just BETTER to have them. If you have a local-only webserver (internal use, as you said), then self-signed certificates are acceptable (in my opinion). Your company's employees should be able to accept the local certificate, and move on.
Simple...what's to stop anyone, anywhere, from approaching verisign and registering a certificate for your domain name? As long as they pay, that certificate is valid. So if your external certificate expires, a third-party COULD do bad things by knowing this.
There are many which you can find with a Google search...read the "Question Guidelines" link in my posting signature. Asking people to look things up for you isn't a good thing. Also, you provide NO details about your 'local only https server', such as version/distro of Linux, what web server it's running, etc., which would help us answer you.

1 members found this post helpful.

You do this because it's a good security practice...if you don't know why, please look it up.
...which answers your first question of "Why do you create certificates which expire?", doesn't it?
If they did, they'd have renewed it, right?
If the certificate had been 'broken', then the new one could be too, so there's not much help there.
Sorry, wrong...certificates signers use a standard public/private key setup.

1 members found this post helpful.

There is a confusion. I wanted to ask that question to original thread starter not from others.