Backdating certificates


1 comment

  • Official comment
    Jeff Generao

    Hello @ericmj,

    The way these shared certs are re-issued is when there is a change made to the TLS Certificate; either a new SAN addition or a SAN removal. The lion's share of situations where contemporaneous re-issue of a cert is done is much, much greater than those situations where one wants us to wait.

    If you can imagine when an entity wants to add to our shared cert, they want to have their domain ready for traffic. In the other situation, the removal of a SAN may be critical to a billing issue for another entity. Both these situations support a quick re-issue of the certificate.

    It is unfortunate that some system clocks may not be sync'd properly, however, we as a company strive to address the situations that would best serve our community. Swift deployment of TLS certs is heavily favored over a delay in deployment.

    We do have a product where the issue with "not before" time is minimized. A cert under your control is best where timing is this important. We call this the Fastly Hosted Certificate where you upload a TLS certificate and it's key to us, and we deploy it to our edge. In this way, you will know for sure both the "not before" and " not after" times and can plan accordingly.

    Comment actions Permalink

Please sign in to leave a comment.