Renewal of existing certificates, re-install needed?


I am using “dehydrated” to get certificates issued using DNS challenge to Cloudflare.

Everything is working fine and I have the certificates.

I get the certificates issued as standalone and manually install them for Synology NAS, VMware Harbor Docker Registry, vSphere etc…

My question is. When it comes to renewal, I am running a cron job which should renew the certificates. Am I right in understanding that, I do NOT need to re-install / copy the certificates and the ones that are already installed will just be renewed?

Or will the renewal generate “new” certs which then needs to be installed ?

Unfortunately, "renewal" is just a term for "getting a new certificate with exactly the same settings as the one before".

The expiration date of certificates is included in the signature of every certificate (as in, the data over which the signature is calculated includes the expiration date), therefore, a new expiration date can only be set when the certificate is signed again. And that means you'll get a brand new certificate.

And because you'll get a "brand new" certificate, you'll have to re-install it again.

1 Like

Thank you for clarifying. This makes things a lot more complicated for me. It basically means every three months I need to renew the certs (which is straight forward) then install the new certificate on each of the systems. I guess I might be able to automate some of it using ansible / bash scripts.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.