Revoke or let expire

My old certificate was for all my sub domains and it is set to expire very soon.

My new certificates, one for each sub domain, are installed and working fine.

There are no references to the old certoficate in any configs by exact file name.

Best practice would be...

revoke and delete
OR let expire

Thanks so much ahead of time!

You can just let them expire, that's totally fine. You may choose to revoke if you want to ensure the old ones can't be used, perhaps because they're held by a server hosting company you're not using any more.


Most people will just let them expire.

Revoking a certificate is necessary if you lose control of the private key or have another security incident.

Revoking can be useful if you change hosting providers in a shared setting and do not trust the old company. If you control the servers involved it is probably not necessary.


Hello @beason and Welcome to the community!
Revoking a cert should be the LAST resort. *

Allowing the cert to expire will only (in most cases) generate an email from Let's Encrypt to inform you that the cert is aging and about to expire. If that is the case you can just ignore the email and move on.

To answer your question: Best Practice... Let it expire. ;0)
Hope this helps!


These things should be mutually exclusive.
I mean: If you can delete it, then why would you need to revoke it?

In the case that you are somehow reusing the same private key [unusual, but possible], then revoking it may create a problem everywhere that private key has been used [to include the new site] and anywhere that it might be used in the future.
So... it would be a very strange case were "best practice" would be to do both [delete and revoke].


It's the other way around (revoke and then delete), but if there was a reason for revocation, why would you keep a revoked cert around? Thus, after a revocation, one probably would like to delete it too. So no, revoking and deleting are not mutually exclusive. :wink:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.