How often do I update SSL certificates

Hi there,

I was wondering if I need to update ssl certificates periodically and what is the best way to do that. Here is my problem....

I'm using Dynamic DNS service on my openwrt router. My DNS provider recommends I use SSL to connect whenever I update my IP so I installed libustream-openssl ca-certificates and I configured everything properly but when I started the service I got this message in the log file...

WARN : No valid certificate file '/etc/ssl/certs/' for HTTPS communication - TERMINATE

It sounded like I didn't have the right SSL certificate. I did some searching and found these instructions here: https://oldwiki.archive.openwrt.org/doc/howto/wget-ssl-certs
I installed openssl-util and ran the commands listed on the wiki. Specifically these commands....

cd /etc/ssl/certs
openssl s_client -connect freedns.afraid.org:443 < /dev/null > temporary.out
openssl x509 -outform PEM < temporary.out > freedns.afraid.org.cer
 
# create link using the hash value from openssl
# store certificate hash value in HASH append .0, if hash exists can store as .1 or .2 or .3  etc etc

HASH=`openssl x509 -hash -noout -in freedns.afraid.org.cer`.0
 
# create link
ln -s freedns.afraid.org.cer $HASH

Then I restarted the Dynamic DNS service and..... everything worked. Yay!

So my question is..... How often do I have to repeat this step? Every month? Every year? Everytime I restart the router? Should I put these commands in a script and set it up as cron job? Sorry for the noob questions, I know next to nothing about SSL except that it is necessary so that no one can see my username/password every time I update my IP. Thanks!

Edit: I didn't notice that you pulled them manually. You could install ca-certificates using opkg as another, probably easier option.

Edit 2: You look like you did install ca-certificates. You shouldn't have had to fetch their certificate, and doing so that way potentially ignores any trust chain about who you actually contacted to get that certificate.

Does opkg list-installed show ca-ccertificates as installed. Does your device show something like this:

$ ls -l /etc/ssl/certs/
-rw-r--r--    1 root     root        200061 Sep 17 18:17 ca-certificates.crt

Their certificate, at least as delivered to my browser, is valid and can be confirmed based on a proper set of CA roots:

I would recommend getting your CA roots straightened out, and removing what you downloaded. There are things like revocation that won't work if you have a non-root certificate "hard" installed.


The CA certs change very slowly, with the exception of the revocation of some "marginal" ones. They'll often be updated any time you flash a new ROM when you install new packages. I would consider quarterly plenty often, once a year probably reasonable. I'd say they change slower than you should be updating your ROM for general security reasons.


You got me curious. https://wiki.mozilla.org/NSS:Release_Versions shows them changing every few months, unsurprisingly in sync with Firefox releases. https://wiki.mozilla.org/NSS:Versions shows the CA roots changing more slowly.

3 Likes