Question
Do any web browsers cache SSL server certificates? For example, if I change the SSL certificate on a web server, will all of the web browsers pick up the new certificate when they connect via SSL, or is it possible that they could have a stale certificate?
I’m thinking of the scenario when an SSL certificate expires and is replaced by a new one on the web server.
Answer
No. See IBM SSL overview
The SSL client sends a “client hello” message that lists cryptographic information such as the SSL version and, in the client’s order of preference, the CipherSuites supported by the client. The message also contains a random byte string that is used in subsequent computations. The SSL protocol allows for the “client hello” to include the data compression methods supported by the client, but current SSL implementations do not usually include this provision.
The SSL server responds with a “server hello” message that contains the CipherSuite chosen by the server from the list provided by the SSL client, the session ID and another random byte string. The SSL server also sends its digital certificate. If the server requires a digital certificate for client authentication, the server sends a “client certificate request” that includes a list of the types of certificates supported and the Distinguished Names of acceptable Certification Authorities (CAs).
The SSL client verifies the digital signature on the SSL server’s digital certificate and checks that the CipherSuite chosen by the server is acceptable.
…
Microsoft’s summary is similar. The TLS handshake is also similar in this regard.
In step 2 there doesn’t appear to be a way for the client to say “don’t bother sending a server certificate, I’ll use my cache”.
Note that there are several types of certificates, client, server and CA. Some of these are cached.
Check more discussion of this question.