A user's control over a digital certificate begins when they purchase the electronic document from a Certificate Authority (CA). However, their jurisdiction doesn't end there. The user is also responsible for initiating the certificate renewal, reissue, and/or revocation processes.
Provided below is some information about each of these procedures:
- Renewal: Certificate renewal is a process by which a user purchases a new certificate for the same public key used in an expiring certificate. Most SSL certificates expire a year after their purchase date. To maintain trust of web users, owners should plan on renewing their certificates within the last quarter of their current certificates' lifecycles. They can request a certificate renewal by generating a new certificate signing request (CSR) from their CA's hosting control panel. The CA will then process that request and complete the identify verification steps within the same amount of time that's required to handle a new certificate's CSR as long as the owner's domain, organization name, and other submitted pieces of information have not changed. At that point, the CA will send the certificate to the purchaser's certificate contact. It's then up to the owner to install and configure their new certificate before removing their old electronic document.
- Reissue: Certificate reissuing (also known as re-keying) is a process by which a user generates a new private key and CSR for an existing certificate. As explained by DNSimple, users might need to proceed with the reissuing process if they lose or delete their private key, if they want to change any of their certificate information, or if they want to change the certificate's encryption level. Upon completion, the reissuing process produces a new digital certificate.
- Revocation: Sometimes a certificate's private key becomes unsafe. Let's Encrypt notes this can happen if a user shares the key on a public website of if hackers steal the key off a company's servers. In cases such as these, the user might choose to revoke the certificate, a process which cancels the certificate and thereby removes the HTTPS connection from the owner's domain. It's then up to the user to purchase, install, and configure a new digital certificate.
It takes a lot of work for an organization to inventory the locations of each of its digital certificates. The effort needed to renew, reissue, and possibly revoke a certificate is even greater. As a result, if performed manually, the creation and renewal process can be time-consuming and error prone. Bad actors can leverage any mistakes to attack web users, damage the certificate owner's brand, and cost the company revenue.
To adequately manage their digital certificates, organizations need a solution that streamlines the renewal, reissue, and revocation processes. The Venafi Platform is one such tool. Customers can use the tool's REST-based API to initiate renewal, reissue, and/or revocation from a single portal. This centralization speeds up each of these certificate management processes, thereby minimizing the time during which an attacker could potentially cause harm. The Platform also automatically notifies owners when their certificates are about to expire.