GGSSL Module - Record and activity for each reissue of SSL

pincer shared this idea 4 months ago
Under Consideration

Pls add history of SSL reissues. For each entry, specify

-changes (Org details, SAN, CN, etc added/removed/changed) to easily compare with previous SSL

-offer download of CRT and KEY for each issued or reissued SSL

-easy way to revoke each/all issued and reissued SSL

Comments (2)

photo
1

This must be supported ASAP. The best practice for installing SSL is for each server, you must generate a new CSR and new key. So for a Wildcard cert, you have to reissue each time you will install on another server. But currently, only the most recent SSL is available for download in the Panel.

Currently, you have no way to keep track of reissues and the CRT and KEY (if CSR is generated in Panel) for each reissue. The Panel should keep track of and list all these reissues and their associated CRT and KEY.

photo
1

Current behavior is on reissue, the current crt + key are deleted and replaced by new/reissued crt and key removed. Can't you just move the old crt + key on another directory? Then list all those previous crt + key as available for download in a SSL History tab? The current History tab should be separated into 'Order History' and 'SSL History (reissues)'. This is for easy management, storage and safekeeping of all crt(s) + key(s) instead of keeping them only on the server or storing them somewhere else that is prone to being misplaced or lost.

Reissue does NOT revoke previous SSL especially if it is a Wildcard or Multi-domain SSL. To revoke a crt, you have to contact the CA Support. Auto revoke only happens when you reissue a SINGLE-domain SSL.

Why is Reissue Management important? It is because you want to keep track of any changes between crt files and keep track of a particular crt and its key. You may want to reissue a Wildcard SSL so that it will have a different key when you install on another server. OR you want to reissue to add/delete/modify a SAN for a Multi-domain SSL with the same key or new key to be installed on another server.

Do you think it is reasonable to actually only have the latest reissued crt on your account when you already reissued 10 times for 10 server installs and each server has a different key? Of course not. If only Billmanager allows something like this

SSL History

1-20-20 - reissued - Download crt - Download key - Note for server1 (label)

1-27-20 - reissued - Download crt - Download key - Note for server2 (label)

Do you understand?