Deprecated Certificates still valid?

Hi Community…

I have two servers on the same domain name (no sub-domain) but operating on different ports.
After I renewed the certificate, I only applied it to one of the servers. The other server is still using the old cert.

Even though: Both are seen as valid!

Should it be like that? When I renew a cert, shouldn’t the old ones become invalid?


Hi Jan,

The Certificate is valid until it’s expiry date. Obtaining a new certificate doesn’t change the expiry date of the old certificate.

Alright, so the browser does not cross check the validity with the Let’s Encrypt servers every time I request the site?

@jansch The old certificate is not revoked automatically (and there is no reason to revoke it just because you don’t use it anymore).

So the old certificate remain valid until his expiration date.

(And, if you are using chrome, no, it doesn’t automatically check for revocation information…)

Unless you're using OCSP stapling :wink:

What do you mean with "cross check"? Let's Encrypt offers OCSP for checking the validity of the certificate(s) the server sends the browser. But a) not every browser does this by default (there are privacy concerns) and b) it will only validate those certificates.

If you mean with "cross check" also check other certificates (older ones, different servers) then: no, it doesn't. The browser even doesn't know about the existence of these certificates, so how could it check those? :slight_smile:

Thanks people, this answers my question! :slight_smile:

With “cross check” I meant that every time I send a request to my server, I get the certificate, then the browser checks with Let’s Encrypt servers if the cert is valid and then continues the connection with my server.
-> But thats clearified now! Thanks!

If you do want the old certificate to stop being valid when you get a new one, you can explicitly revoke it (e.g. with certbot revoke). Most site operators seem to appreciate the overlapping periods of validity. :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.