Do any web browsers cache SSL server certificates? For example, if I change the SSL certificate on a web server, will all of the web browsers pick up the new certificate when they connect via SSL, or is it possible that they could have a stale certificate?
I'm thinking of the scenario when an SSL certificate expires and is replaced by a new one on the web server.
Well, the answer by RedGrittyBrick is correct, but not really answering the question. The question was, if browsers do it, not if they should or need to do it.
From what I've heard, both MSIE and Chrome actually do cache certificates, and don't replace them when they get a new version as long as the old one is valid. Why they do this is not for me to understand, as it lowers security.
I'm not sure if my input will help in any way but here's what I've just experienced: I've got a web site in azure with a custom domain. I tried accessing it with https in chromes before configuring the SSL binding for my domain name. Chrome was telling me that the site is not secured which perfectly makes sense (ERR_CERT_COMMON_NAME_INVALID) But after I uploaded my cert and configured the SSL binding in azure I was still getting the same error. At this stage, when opening a new private browser window (or using another browser) the https was working fine.
But I could never get it to work in my open Chrome session. I tried clear SSL state, same result. It worked after restarting chrome altogether.
I was probably tricked by something but it almost looked like the cert was cached...
There are plans of some browser developers to implement such a chaching system for detecting attacks like the attack on Diginotar in 2011.
But at the moment AFAIK no such system is active in current browsers. Therefore you don't have to think about this situation when updating your server certificate.
