Hetzner - DokuWiki


General information about reissues for your Symantec Thawte and RapidSSL certificates from DigiCert (FAQs)


Why is it necessary to get a reissue for my certificate?

Our SSL certificate provider DigiCert (Symantec, Thawte, RapidSSL) has informed us that a maximum of 27 months will be allowed for all newly requested and newly issued SSL certificates, effective starting 15 February 2018. The certification authorities (CAs) and browser providers have agreed on this procedure. Only SSL certificates applied for and issued before 15 February 2018 will have a maximum period of 36 months.

In addition, Google has announced that starting on 15 March 2018, its browser will no longer recognize SSL certificates from Symantec, Thawte, and RapidSSL that were issued before 1 June 2016. Furthermore, Google stated that starting on 13 September 2018, Google's browser will not recognize Symantec, Thawte and RapidSSL certificates issued before 1 December 2017.

If your certificate falls into one of these categories, we will usually inform you promptly about the necessary steps for getting a reissue.

What is the procedure for getting a reissue?

The reissues will be announced and carried out in groups before the respected deadlines. Unfortunately, it is possible that your certificates may fall into more than one of these groups, and that you will therefore be informed about the process several times. To help us make sure that the reissue process goes smoothly, we ask you to refrain from sending us arbitrary reissue orders unless that is absolutely necessary.

Which steps need to be taken for a reissue

Hetzner Online will request the reissues collectively and - as far as possible - we will carry them out automatically. As a rule, a (re-)validation/authentication of your certificate is necessary for the reissue process. Depending on authentication, this can be done automatically via our servers. In most cases, however, you will receive an "ApproveMail" at the email address that you provided when you ordered the SSL certificate. In this mail you will find a link to confirm the reissue request. Please make sure to respond to the confirmation email as soon as possible so that the new SSL will be sent to you quickly.

Either we or DigiCert may require further steps or documentation from you to validate the reissue. If this happens, either we or DigiCert will contact you. If this happens, please make sure to provide the requested information and/or take the necessary steps as soon as possible so you quickly receive your SSL certificate reissue.

What happens if I miss the deadline?

The reissue does not make the existing certificate keys invalid (revoked). A revoke will only be performed by DigiCert at a later date. Therefore, failure to get a reissue will not have a negative impact on the existing certificate for the time being. Please note, however, that you will not be able to make a secure connection with new browser versions after March 15 or September 13.

What do I need to do after I successfully get a reissue?

As a Robot customer, you will receive the certificate key together with the required intermediate certificates via email after your new certificate is complete. The certificate data must be exchanged on all servers that use the certificate. The new certificate will be active when the server is restarted. The private keys are normally valid in this case.

As a rule, konsoleH customers do not have to take any further steps. The updated certificate data is automatically stored in the konsoleH SSL Manager and installed on our SSL accounts. However, if you also want to use the certificate on external servers, please download it again from the "SSL Manager" after completion and install it manually.

Since the reissue, certificate errors have occurred on some (older) devices. What can I do?

Older clients may lack the current root certificates from Digicert, which means that the certificate chain is incomplete or cannot be validated. In this case, please check if a new software version of your client is available.

In some cases, incompatibilities with current SHA256 root certificates may also occur. This is usually also client-specific and has nothing to do with the server configuration. If these cases occur more frequently, we can offer to reissue your certificate on an alternative certificate chain with SHA1 root certificate. Please send us a separate support request from konsoleH/Robot. Please refrain from making arbitrary reissue orders, as these orders must also be processed separately and slow down the process.

© 2018. Hetzner Online GmbH. Alle Rechte vorbehalten.