Blog > Annual TLS Certificate Refresh

Annual TLS Certificate Refresh

Our annual certificate refresh is coming up,with our TLS certificates expiring annually in January. December is included for a reasonable grace-period, because services will need to be switched over, which costs time.

Exactly a year ago, we announced the previous roll-over. Why do we do this every year, and why don’t we take out certificates that are valid longer than ~365 days?

Longer validity periods risks us as the consumer using certificates issued with older, out-dated standards. While it may be difficult to predict exactly which issues will occur in the future, we’ve obviously needed to refresh our certificates because of the SHA-1 saga, and while we were unaffected, the Symantec soap opera. Our users can do without the drama.

Longer validity periods also risks us getting out of practice, in the same sense that not exercising for a few years may just not be as healthy as regularly exercising. During our annual refresh, we test and tweak and update and retest and hold things under a microscope to see where we might further improve. This typically results in CAA records, another check on TLSA records, and generally getting up to date with the “standards” du jour.

Regular refreshing periods also allows us to scratch private keys, refresh pass-phrases, use hardware-based random number generators (ours is actually a Quantum-ready device), and basically invalidate whatever was. Let’s consider it a good practice. Despite our application of Perfect Forward Secrecy (PFS), the longer a private key and certificate is in use, the higher the chances are the quantity of information communicated over our wires may give a reasonable approach to cracking — while I’m not a mathematician let alone a cryptographer, I presume given an infinite amount of data, analysis could potentially increase the chances of forming better and better educated guesses, even if it may still take hundreds of thousands of years using all the computing power in the world.

The SHA-256 fingerprint for our new certificate is as follows;

D3:A4:67:F4:44:6D:66:2C:42:11:26:75:93:A3:F7:E3:\
    DA:75:89:E7:76:B8:D7:53:42:47:E7:6A:EB:BC:13:CA

The SHA-512 fingerprint for our new certificate is as follows;

C2:18:30:44:50:45:51:59:A6:C1:22:EC:26:A6:D8:CF:\
    33:0E:BE:EE:AE:19:9F:7A:2F:B8:FB:38:29:AD:E6:DD:\
    2F:D6:F2:3D:5E:FB:83:DF:A9:4E:08:5F:13:FD:BB:E4:\
    AC:DF:A3:7E:0B:F5:50:BB:52:1E:56:75:52:92:2D:B6