How the SSL/TLS CA certificate will update in my device if it is renewed from server maintainer?

How the SSL/TLS CA certificate will update automatically in client device if it renewed from website maintainer.

Actually Rooot CA certificate expiry for 1 or 2 years, after that server maintainer should go to certificate Authority renewal further validity, so in this condition how my client device update new renewed certificate?

I could get some answers from websites like if the certificate expire then we will get some warning message and data communication also plain text , so that it is vulnerable for man in the middle attack.


1 answer

  • answered 2021-06-19 07:38 Netch

    There are many unclear aspects in your question - for example, what is this "device" that requires (or don't require) firmware upgrade - so I'll answer in general.

    1. Yep, the way simplest to describe is just the firmware upgrade. If it is expected that a device needs checking against a well-known root certificate set, this is to be implemented by upgrading this set as well. It depends on OS and ditribution how it is implemented; e.g. in non-embedded Linux distributions it is present as a package named "ca-certificates" or similar. The package provides a directory of certificates in PEM form, or a single file of concatenated certificates, or both. The package is upgraded independently of other components, except possible relation on data form.

    2. It is used in some cases that a certificate (as a combination of its subject, public key and attributes) is provided in two versions: self-signed - for newly updates users, and signed by a previous certificate - for users with old certificate database. Depending on client software, it may issue expiration warning, if old root is expired, or may not.

    3. Some root certificates are provided with long lifetime (20-30 years) but used just to sign second level certificate which lives a few years; the latter, in turn, is used for end-user certificates (as web server). In such case, you don't need to react at all.