Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Buying an SSL certificate for Remote Web Workplace use - advice about "reissuance"

Posted on 2009-07-07
Medium Priority
Last Modified: 2012-05-07
I am thinking about buying an SSL certificate to install on my SBS 2003 server, for use when I connect using Remote Web Workplace (I'm presently using a self-signed cert but its frankly embarrassing seeing the certificate error in front of my clients!).

I'm a little confused as to what the SSL company calls "reissuance". As I only need an entry level cert, should I buy one that comes with "unlimited reissuance", or can I just buy the cheaper one and just save a copy of the certificate somewhere?

Question by:CSHTech
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 31

Accepted Solution

Paranormastic earned 1200 total points
ID: 24795331
Reissuance is if they need to reissue the certificate.  This is common to have for the first 2-4 weeks or so, but after that if you need your cert reissued then you need to pay for a new cert, or a discounted rate for reissuance.

The reasons you would normally need a cert reissued:
1) Initially corrupted certificate - this is obvious up front within minutes and will normally be reissued for free.

2) "Windows did it" corrupted certificate - certs are files and hence are just as likely as everything else to fall victim of Windows corrupting them.  This usually does not happen, but can at a rate similar to any other specific file.  This can happen anytime, but typically later into the life of the server.  You'll probably need to pay for this to get reissued unless you backed up the cert and private key to a .pfx file (read: export your cert from Certificates MMC including the private key to back it up to a .pfx file... and then copy/move that .pfx somewhere else to archive).

3) You screwed up the cert request - after issuing and installing you realize you should have issued to the alias instead of the server name, to the FQDN instead of the hostname, vice versa, you had the wrong key strength, or that you just simply had a typo.  Depending on how long it took you to realize this, you'll probably be able to replace for free.  (read: make sure to install and test your cert within a couple days after you buy it)

4) Private key compromise - this is rare, but since taking proper care of things tends to get expensive it can happen if someone hacks your server and accesses the directory with the private key.  Now you can't trust it, so you need to revoke it.  Expect to get charged for this.  If this is a concern, look into generating the private key on an HSM (note these are very expensive even for the cheap ones) to provide the best protection against attackers.

5) You need to reissue under a different root certificate from that vendor.  Many of the big cert vendor names (Verisign, Comodo, etc.) own many roots both under their own name and under the names of the various companies that they have purchased over the years.  Due to this, there can be occasional compatibility issues that they may be able to take care of by reissuing the cert under one of their other roots instead of the primary one for whichever type of cert you are looking at.  Again, with timely testing this is normally included in the original couple weeks that they all offer.

Reissuance is important from the cert vendor during the first few days, maybe weeks.  After that it is a safety net for those that don't know how to backup their certificate and private key properly (which isn't all that difficult, you just need to know to do it, which many admins don't somehow).  As you suspected, you can just back it up, archive it, and be a good admin.

Its just a marketing thing.  When you have a policy that screws people that is universal in the industry, then there is a place for a new service to cash in on.  I'm sure there are those that would argue otherwise, but I personally feel that this is legitimate - it is not the CA's job to secure your server and protect the key, it is yours - and each time they need to revoke the old one which makes their CRL grow, slowing things down for everyone eventually, one grain of sand at a time, not to mention the extra bandwidth and other related real costs.
LVL 31

Expert Comment

ID: 24795400
As a side note, I recommend having a couple flash drives, they're getting cheap enough now, and securing them in a sealed envelope for each server - one for onsite, one for offsite (as a minimum).  Since these will have the private key, it is recommended to not store the .pfx on the server and only archive on offline media like the flash drives.  Also control access to these fobs - keep them locked up in a drawer, safe, or something.  It is best to have a separate pair of fobs for each server, but realistically this is not normally necessary - they are very small (@ 1-2 kB) so pretty much any size will suffice for many servers.  If you have a larger admin team you may wish to split off by job type (unix vs. windows, web servers vs. non-web servers, etc.).

Author Closing Comment

ID: 31600580
Thank you for your time and effort on this - it's much appreciated.

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So you need a certificate so you can offer SSL encryption.  But which one should you get?  There are so many choices out there! Here is a generic overview of the main types of SSL certificates sold by the majority of commercial Certification Auth…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question