What do I need to do with the certificate installed on old server?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.knowme.link

I ran this command: -

It produced this output: -

My web server is (include version): IIS 10

The operating system my web server runs on is (include version): Windows 10

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): win-acme

I'm going to move the web from one server to another. I exported the certificate (.pfx) from old server and imported the certificate to the new server. My question is what do I need to do with the certificate installed on old server?

Thank you

3 Likes

The certificate itself is a public document and so it's of no consequence. However, that PFX file will also have the associated Private Key, anyone who has that Private Key can potentially impersonate www.knowme.link. So, you should destroy any copies of that data which you no longer need to reduce the chance of it accidentally becoming known. Once the old server is no longer serving the web site, you should at least delete copies of the PFX file left on the server and (I don't know Windows well enough to advise exactly) look at how to delete the certificate entry you exported it from.

How seriously to take this depends on how important the security of www.knowme.link is to you. For many people it's enough to just not give out copies of that Private Key deliberately and delete any files which obviously have the key inside. If the security is extremely important to you (for example if this site has sensitive personal medical information or military secrets), you might want to destroy any physical storage devices with a key you don't want revealed, e.g. shredding the hard disk in an industrial shredder.

By default I expect win-acme will entirely replace that Private Key when it next renews the certificate for www.knowme.link and so none of this will matter within about 90 days of moving servers anyway.

4 Likes

Very briefly: You don't actually need to do anything. It will become useless* soon enough.
But you should always do something to ensure that your encryption keys are never compromised [as @tialaramex has explained].

* note: If for some reason you are not rotating the private key, then your risk factor is greatly elevated and this "old" key would remain a risk (even to your "new" server) until changed. And as always, anything that was recorded/captured during the time of that key being used might be vulnerable to being decrypted with that key.

4 Likes

Thank you all for your input.
appreciate it.

3 Likes