When I renew a certificate, does the old one get revoked?

wbounni · June 16, 2023, 12:11am

Hi;

Out of interest, what happens when a certificate is renewed, does the old one get revoked automatically? I guess, I am trying to see if a certificate renewal could be a better alternative to revoking then renewing.

Kindly
Wasfi

griffin · June 16, 2023, 12:12am

griffin · June 16, 2023, 12:13am

A "renewal" certificate is just a convenient term for a new certificate that happens to share the same set of SANs as a previously-issued certificate. Beyond labeling that relationship, there is no operational correspondence between the "original" and "renewed" certificates.

danb35 · June 16, 2023, 12:15am

So no, renewing a cert doesn't revoke the old one, and you shouldn't revoke the old one--just let it expire. Only revoke a cert if you suspect its private key has been compromised.

griffin · June 16, 2023, 12:16am

The animated post I shared is a colorful version of exactly what @danb35 has correctly advised.

wbounni · June 16, 2023, 12:18am

But how can renew and let the old one expire as the old one will not exist. The new one simple overwrite it as far as I know.

griffin · June 16, 2023, 12:25am

The old certificate will ALWAYS exist, even after you've deleted it locally.

griffin · June 16, 2023, 12:27am

Once you've destroyed a certificate's private key, that certificate will continue to "exist" (even if you delete it), but it won't ever be usable again.

danb35 · June 16, 2023, 12:31am

I'm sure it depends on the client, but with the most popular ones (certbot, acme.sh, etc.), this isn't true. A new cert is issued, but it doesn't overwrite the old one. And if the old one were overwritten, what then? It can't be used again, so (once again) there's no reason to revoke it.

Again, the only reason to revoke a cert is if you suspect the private key has been compromised.

wbounni · June 16, 2023, 12:41am

Thank you @griffin and @danb35

Osiris · June 16, 2023, 5:38am

And to complete this thread in total, in addition to:

and

There are 2 (3?) ways to revoke a certificate:

Using the private key associated with the certificate itself;
Or, if the private key isn't around any longer, using the ACME account which issued the certificate in the first place or (/and?) a different ACME account, but which has proven authority of (all) the hostname(s) in the certificate.

system · July 16, 2023, 5:38am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to proof/check if a certificate was revoked Issuance Tech	3	8480	November 20, 2015
Revocation after request or renewal Issuance Policy	2	851	March 25, 2019
Revocation after expiration? Client dev	10	1722	January 10, 2018
Renew certificate before revoking old one Help	7	446	July 18, 2023
Why not revoke a certificate after renewal or end of use? Issuance Policy	4	1830	April 11, 2020

When I renew a certificate, does the old one get revoked?

Related topics