0

That's all my question is. Is there a delay between the time you make an SSL cert config change and the time it takes effect, or are these kinds of changes immediate?

I bought an SSL cert some time ago and configured my Apache server to use this cert. Android devices don't seem to trust my SSL cert, so that leads me to believe that SOMETHING is improperly configured. I can change my configuration and what immediately happens is nothing at all, but I don't know if that's because my "fix" didn't fix anything or if it's because the fix just takes some time to take effect.

So that's my question. Are these sorts of changes supposed to be immediate or can they take a while?

Michael Hampton
  • 247,473
Jason Swett
  • 1,468
  • 4
    Exactly what are you talking about? – Michael Hampton Sep 11 '14 at 13:00
  • You don't specify what software is undergoing the SSL cert config change. E.g. in apache you can change the config, but until you reload the daemon those config changes won't be picked up. So the answer now boils down to "it depends". – wurtel Sep 11 '14 at 13:26
  • @MichaelHampton Fair question. I edited my question to be more specific. – Jason Swett Sep 11 '14 at 16:56
  • Not much, you didn't: you still haven't been clear about whether you're making a change in the certificate itself, or in the configuration of the application that uses the certificate. wurtel's comment above nicely summarises the sort of problem we're left with as a result. I think you would get a lot of benefit by being very, very concrete about exactly what you're doing, what you expected to see and the results you're actually seeing. – MadHatter Sep 12 '14 at 07:40
  • Please forgive my ignorance since this isn't my area of expertise. I don't think I changed the certificate itself or the configuration of the application that uses the certificate. I've changed the configuration of the server that hosts the application. Before, I was just including "my" certificate, not the root cert or intermediate cert. My change was to put a concatenation of my cert, the intermediate cert, and the root cert in place the file that originally contained just my cert. – Jason Swett Sep 12 '14 at 11:59

1 Answers1

4

It's very likely that your Apache server isn't handing out intermediate certificates that the Android devices need to verify the authenticity of your certificate.

Client devices obtain the certificate from your web server at the time of access (generally speaking-- I'm steering clear of "certificate pinning" here because that's not happening with you). Changes you made in your SSL configuration on your server "take effect" immediately.

I bet your confusion is coming from thinking about DNS caching. You're probably getting muddled in your thinking, since DNS changes don't "take effect" until caches expire. There's no caching, effectively, with SSL-- changes "happen" immediately.

Without being able to look at your site I can't say anything about the certificate chain and any intermediate certificates that you are (or aren't sending). You may want to run your site through the Qualys SSL Test (or something similar), which will give you a report about a broken certificate chain (and lots of other common mis-configurations).

Evan Anderson
  • 142,379
  • If it helps, my site is https://www.snipsalonsoftware.com/. I'll check out Qualys SSL Test. Thanks. – Jason Swett Sep 12 '14 at 12:01
  • I asked a new question here: http://serverfault.com/questions/628062/what-is-wrong-with-my-ssl-trust-chain All I was really after with this question was the yes/no answer to whether I should be expecting a delay (which you provided). – Jason Swett Sep 12 '14 at 12:27