We have a wildcard certificate issued by GoDaddy coming up for renewal, and I would like to use a different company (which is yet to be chosen). The wildcard certificate is on use at a dozen sites across a few servers. There will be a gap of a few hours between the certificate being issued at the new authority, and when we can install the certificate on all those sites & servers. During that gap, will our users notice anything, e.g.,
- "Site is insecure" type of warning
- Outright failure of the site to work (they are Windows/IIS sites).
I am wondering if, for instance, the new authority issue something to GoDaddy that makes GoDaddy revoke our certificate that they have on file. Or, will a web browser find the installed certificate mis-matching with the newly issued certificate, and cause a problem.
Best Answer
A certificate will be valid as long as the system date that verifies the domain is between its validity not-before and not-after date, all other certificates in the chain are valid, and the issuer has not taken action to revoke the certificate by means of CRL or OCSP options at their disposal (most commonly due to counterfeit or security issues such as a private key that becomes compromised). Obviously, the domain have to match. Issuing a new one will not affect that.
You can actually request the new certificate before the expiration date of the current and start changing certificates ahead of that point in time so that there is the smallest disruption possible in services. If you wait for expiration in order to proceed with the renewal, the services will show the insecure note if not blocked completely by security settings on browsers like HSTS or other security mechanisms.
Automation tools related to certificate renewal like acme.sh or the Let's Encrypt module in WHM do their job usually 1 month ahead of expiration so that caching and other functionality doesn't impact the renewal process either.