PKI Best practices for updating SSL certificates

What are the best practices for updating client-side SSL certificates without user interaction?

To be more specific:

I have a server with SSL private key/public x.509 certif开发者_运维知识库icate. All clients will communicate with this server through SSL. In order to establish SSL connection all clients need to import the server's public certificate to their trusted locations (truststore).

Getting the server's certificate at (client) install time is not a problem because the installer can contact the server (by SSL) and get the server's public key (or the company's Root Certificate). After that the installer can show the certificate to the user for visual validation and this is secure enough.

What will happen after the server certificate (or the company CA) expires?

Or what will happen if the server certificate is accidentally changed?

What are the best practices to (automatically) update all clients with the new server SSL certificate (CA)? Having in mind that after installation the clients are background processes and the is not visual user interaction possible.

Of course the easiest way is to manually update all clients by the infrastructure administrator.

I'm wondering if there are some known good practices to automatically update the client's certificates without user intervention?

Ideally, your server certificates should be issued and signed by a trusted root CA certificate with a long lifetime (10 to 20 years). Just the root CA certificate would be installed on the client end.

The server certificate itself, even if you update it every year, would not need to be propogated to clients since the root signed it and is trusted.

If you're using self-signed certificates, this is why they are generally frowned upon from a certificate management perspective. When they expire or change, you need everyone to update - otherwise you'll get browser security warnings.