One more startcom coming to LE

My domain:
https://organicamente.org/

My web server:
Apache 2.4.25

The operating system my web server runs on:
Ubuntu 12.04

My hosting provider (shared hosting) :

I can login to a root shell on my machine:
no

Control panel to manage my site:
afaik, it’s a proprietary one ( pair.com )

Hi there,
I have this domain with a startcom cert expiring this month. I’d like to leave it and install an LE cert.
Can I simply do it? Do i need to revoke the startcom cert (and pay the fee they charge)?
If I can simply abandon startcom, do I need to wait until it expires? And if I do install the LE cert, do I need to do something about the old cert (or simply delete it)?
Sorry for bringing such basic questions - not surprisingly, I’ve seen others in the same situation, but couldn’t find clear directions.
Thanks

Hi @Theo,

In general, the web PKI allows multiple certificates to have overlapping validity, along any dimensions. There can be certificates from several different certificate authorities, or from the same certificate authority, all valid during the same time period and covering one or more of the same domain names. This doesn’t represent a conflict.

As I mentioned to another user today, there have been browser extensions to warn people about this situation in case it represents a malicious mis-issuance, but the use of some extensions is extremely rare. It’s currently not a default browser behavior to warn people about certificate changes in these cases.

Revocation is only needed when you have reason to believe that someone else has had improper access to your private keys, or in some specialized circumstances like when you no longer legitimately control a subject domain name. It isn’t needed in order to create a new certificate for the same names.

If you do want to declare restrictions on certain kinds of certificate changes for your site, there are some technologies that can do so, like CAA (restricting which certificate authorities may issue for your site) and HPKP (restricting which certificates browsers will accept for your site). If you haven’t used these technologies, you can switch CAs at will or even use several at the same time, which might be appropriate for some use cases (for example, because Let’s Encrypt doesn’t issue EV certs or wildcards).

Edit: after you switch certificates, you may want to erase the private key for your old certificate from your server for various reasons related to reducing the risk if someone hacks your server.

@schoen,
thank you very much, that was really helpful. As it happens with, ahm, quite anything, there are plenty of websites talking about SSL, but I couldn’t find an 101 relating the techie details with real world and, for example, the actual files we have to deal with, when setting a certificate.
Thanks also for the great work at EFF - another initiative for a better world.
All the best.

About four years ago I found an incredibly great introduction somewhere but I’ve never come across it again or been able to track it down. :frowning:

We wrote a “what is a certificate” document for Let’s Encrypt but the resource I’m thinking of was a lot better, from my point of view, in terms of understanding the underlying technology in detail. It showed some PEM files, then interpreted them with OpenSSL or something, and showed what each file was actually doing, and what information it was conveying, and how that information would ultimately be used. As I remember it, it explained certificate authorities, subject information, digital signatures, certificate requests, intermediate certificates and CAs, public and private keys, revocation, and some other concepts, with examples.

hi @Theo

It is a very broad subject and there are lots of bits that make it work

every time i sit down to write what I believe a simple guide is and send it to my mum to read, (how i test all my technical documents) she still doesn’t get it. I now begin to understand how much assumed knowledge there is.

This has been asked for a few times.

Basically you should be ok to swap to a new provider. You are not using any CA protection technologies that could cause issues.

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.