LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-09-2015, 03:52 AM   #1
cli
Member
 
Registered: Apr 2013
Distribution: RedHat, Cent, Ubuntu
Posts: 80

Rep: Reputation: Disabled
https question


Hi All,
May I know what are the security risks if we do not renew(regenerate) the ssl certificates. Because one of our web server's ssl certificates has already expired. So should we regenerate the new ssl certificates in the server or is it okay even we run with expired ssl certificates.
 
Old 02-09-2015, 04:02 AM   #2
kirukan
Senior Member
 
Registered: Jun 2008
Location: Eelam
Distribution: Redhat, Solaris, Suse
Posts: 1,274

Rep: Reputation: 148Reputation: 148
I asked google and it returned tons of links with explanations
 
Old 02-09-2015, 05:18 AM   #3
veerain
Senior Member
 
Registered: Mar 2005
Location: Earth bound to Helios
Distribution: Custom
Posts: 2,524

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
You should renew. Thats what expire of certificates is used.

Security aware guys won't trust the expired certificate.
 
1 members found this post helpful.
Old 02-09-2015, 08:26 AM   #4
cli
Member
 
Registered: Apr 2013
Distribution: RedHat, Cent, Ubuntu
Posts: 80

Original Poster
Rep: Reputation: Disabled
Thanks for the reply. Also I wanted to know what security risk and how?
 
Old 02-09-2015, 09:08 AM   #5
Habitual
LQ Addict
 
Registered: Jan 2011
Location: Youngstown, Ohio
Distribution: LM17.1/Xfce4.11.8
Posts: 7,361
Blog Entries: 10

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
Is the web server facing the internet?
 
Old 02-09-2015, 09:22 AM   #6
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,636

Rep: Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251
It is the weap point of PKI.

1. certificates are designated to identify the server.
2. the certificate identifies the duration of the validity of the identification.
3. expired certificates should be useless - the original web server/company may have died and the server now under the control of criminals.
 
1 members found this post helpful.
Old 02-09-2015, 10:12 AM   #7
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,100

Rep: Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770
Quote:
Originally Posted by cli View Post
Hi All,
May I know what are the security risks if we do not renew(regenerate) the ssl certificates. Because one of our web server's ssl certificates has already expired. So should we regenerate the new ssl certificates in the server or is it okay even we run with expired ssl certificates.
You say "regenerate"...are you using self-signed certificates??? If so, you're asking your users to trust your website, which they may not do. You don't provide details about your site or who's using it...if it's for internal use, then self-signed is pretty much all you'd need. If it ISN'T internal use only, then you really should get a certificate from a commercial certificate vendor. jpollard explained the security risks nicely.

---------- Post added 02-09-15 at 09:13 AM ----------

Quote:
Originally Posted by veerain View Post
You should renew. Thats what expire of certificates is used. Security aware guys won't trust the expired certificate.
...and this doesn't answer the OP's question as to HOW this is a security vulnerability.
 
1 members found this post helpful.
Old 02-09-2015, 11:50 AM   #8
DavidMcCann
Senior Member
 
Registered: Jul 2006
Location: London
Distribution: CentOS, Salix
Posts: 4,217

Rep: Reputation: 1238Reputation: 1238Reputation: 1238Reputation: 1238Reputation: 1238Reputation: 1238Reputation: 1238Reputation: 1238Reputation: 1238
If I go to a site and the browser gives me a warning that the server has an invalid certificate, I generally close that tab and go elsewhere!
 
Old 02-09-2015, 12:27 PM   #9
Habitual
LQ Addict
 
Registered: Jan 2011
Location: Youngstown, Ohio
Distribution: LM17.1/Xfce4.11.8
Posts: 7,361
Blog Entries: 10

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
silly me. Ignore this useless post.

Last edited by Habitual; 02-09-2015 at 12:28 PM.
 
Old 02-10-2015, 08:26 AM   #10
cli
Member
 
Registered: Apr 2013
Distribution: RedHat, Cent, Ubuntu
Posts: 80

Original Poster
Rep: Reputation: Disabled
Hi jpollard and TB0ne,
Thanks for your kind reply.
Sorry, I didn't provide you more details. One of our internal(local only) web server's ssl certificates are already(2 months back) expired. The publicly facing web server's ssl certificates are going to expire in another 40 days and hope this will take care by existing web host vendor or as per Guru(TB0ne) suggestion, we will contact the commercial certificate vendor.
But if it is local only web server then it is not required in contacting the commercial certificate vendor and just self singed ssl certificates are enough. Isn't it?

I could understood the first 2 points of jpollard, but still the 3rd point is confusing.
Quote:
3. expired certificates should be useless - the original web server/company may have died and the server now under the control of criminals.
Its really appreciated if you could give more details/any url links for the same which can explain with some more details.
And also request you to provide url link by which I can follow the same to setup local only https server in the proper way.

Once again thank you both.

Last edited by cli; 02-10-2015 at 08:33 AM.
 
Old 02-10-2015, 08:52 AM   #11
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,636

Rep: Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251Reputation: 1251
The "useless" is that the certificate is identifying the server. Some clients will (depending on configuration) reject certificates when they have expired, as the validation of the server is no longer present.

Things are still encrypted, but now the server can be suspect as it no longer presents valid credentials.

The way most servers use PKI is that the site gets a long term certificate (5 years or so). This certificate is then used to create a server certificate for use. Normally, this use is limited to 1 year (in some cases less), and is only issued after the server has passed a security check and is re-authorized by the site to provide services. The advantage of the certificate is that it gives the site management control over how it is represented, and it allows a server certificate to be revoked if something happens... This in turn gives the client users assurance that security of the service is being maintained.

To the public, the server certificate presents a traceback that can be checked to see if the credentials that the server presented are valid - the cert is unexpired, and has not been revoked.
 
Old 02-10-2015, 09:05 AM   #12
veerain
Senior Member
 
Registered: Mar 2005
Location: Earth bound to Helios
Distribution: Custom
Posts: 2,524

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
Why do you create certificates which expire after sometime? Do you have reason? Or just you do out of common practice.

Why certificates are renewed. Because the user would have to check the credentials of certificate owner again after expiration. Periodic renewal and checking of certificates is a security measure.

Reasons:

1) The owner asserts form the start he doesn't cares about use of this certificate after expiry.

2) If certificate has been broken by someone, then after expiry he can't continue exploiting.

3) You want to periodically update certificate which has newer strong and powerful cryptographic abilities.

4) Some new kind of crypto has replaced current practice.

Last edited by veerain; 02-10-2015 at 09:13 AM.
 
Old 02-10-2015, 09:47 AM   #13
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,100

Rep: Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770
Quote:
Originally Posted by cli View Post
Hi jpollard and TB0ne,
Thanks for your kind reply.
Sorry, I didn't provide you more details. One of our internal(local only) web server's ssl certificates are already(2 months back) expired. The publicly facing web server's ssl certificates are going to expire in another 40 days and hope this will take care by existing web host vendor or as per Guru(TB0ne) suggestion, we will contact the commercial certificate vendor.
But if it is local only web server then it is not required in contacting the commercial certificate vendor and just self singed ssl certificates are enough. Isn't it?
Certificates aren't REQUIRED at all...you could run any website without them. It's just BETTER to have them. If you have a local-only webserver (internal use, as you said), then self-signed certificates are acceptable (in my opinion). Your company's employees should be able to accept the local certificate, and move on.
Quote:
I could understood the first 2 points of jpollard, but still the 3rd point is confusing.
Simple...what's to stop anyone, anywhere, from approaching verisign and registering a certificate for your domain name? As long as they pay, that certificate is valid. So if your external certificate expires, a third-party COULD do bad things by knowing this.
Quote:
Its really appreciated if you could give more details/any url links for the same which can explain with some more details. And also request you to provide url link by which I can follow the same to setup local only https server in the proper way.
There are many which you can find with a Google search...read the "Question Guidelines" link in my posting signature. Asking people to look things up for you isn't a good thing. Also, you provide NO details about your 'local only https server', such as version/distro of Linux, what web server it's running, etc., which would help us answer you.
 
1 members found this post helpful.
Old 02-10-2015, 09:52 AM   #14
TB0ne
LQ Guru
 
Registered: Jul 2003
Location: Birmingham, Alabama
Distribution: SuSE, RedHat, Slack,CentOS
Posts: 18,100

Rep: Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770Reputation: 3770
Quote:
Originally Posted by veerain View Post
Why do you create certificates which expire after sometime? Do you have reason? Or just you do out of common practice.
You do this because it's a good security practice...if you don't know why, please look it up.
Quote:
Why certificates are renewed. Because the user would have to check the credentials of certificate owner again after expiration. Periodic renewal and checking of certificates is a security measure.
...which answers your first question of "Why do you create certificates which expire?", doesn't it?
Quote:
Reasons:
1) The owner asserts form the start he doesn't cares about use of this certificate after expiry.
If they did, they'd have renewed it, right?
Quote:
2) If certificate has been broken by someone, then after expiry he can't continue exploiting.
If the certificate had been 'broken', then the new one could be too, so there's not much help there.
Quote:
3) You want to periodically update certificate which has newer strong and powerful cryptographic abilities.
4) Some new kind of crypto has replaced current practice.
Sorry, wrong...certificates signers use a standard public/private key setup.
 
1 members found this post helpful.
Old 02-10-2015, 12:40 PM   #15
veerain
Senior Member
 
Registered: Mar 2005
Location: Earth bound to Helios
Distribution: Custom
Posts: 2,524

Rep: Reputation: 319Reputation: 319Reputation: 319Reputation: 319
Quote:
Why do you create certificates which expire after sometime? Do you have reason? Or just you do out of common practice.
Quote:
You do this because it's a good security practice...if you don't know why, please look it up.
There is a confusion. I wanted to ask that question to original thread starter not from others.

Last edited by veerain; 02-10-2015 at 01:26 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Need suggestion:->>Failed HTTPS transfer to https://supportfiles.sun.com/curl manalisharmabe Solaris / OpenSolaris 11 01-10-2014 01:58 AM
HTTPS redirect question bates Linux - Server 3 10-07-2010 04:41 PM
http/https question rblampain Linux - Networking 8 04-19-2007 09:06 AM
Apache HTTPS question unkn0wn Linux - Networking 6 04-25-2006 04:40 AM
Apache https question? mla Linux - Software 3 10-18-2003 05:20 PM


All times are GMT -5. The time now is 03:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration