Skip to main content
    My-SSL LogoMy-SSL
    Guide

    How to Renew an SSL Certificate: A Step-by-Step 2026 Guide

    How to renew an SSL certificate in 5 steps: generate a new CSR, submit to your CA, complete validation, and install the new cert. Updated for 199-day lifetimes.

    MS
    My-SSL Security Team
    ·
    12 min read
    ·Published June 1, 2026

    An SSL certificate renewal is the process of obtaining a new certificate before your current one expires — keeping your site's HTTPS connection uninterrupted and your visitors' browsers from showing a security warning. Renewal is not the same as clicking "update" on a subscription; it requires generating a new Certificate Signing Request (CSR), submitting it to your Certificate Authority (CA), passing domain or organization validation again, downloading the new certificate, and installing it on your server.

    Renewal is more urgent in 2026

    Since March 15, 2026, all publicly-trusted SSL/TLS certificates are capped at 199 days' validity under CA/Browser Forum Ballot SC-081v3. Previously, certificates lasted up to 397 days. That means renewal is now required roughly twice as often — and the window for a missed renewal is half what it used to be. If you previously renewed once a year, your existing processes need updating. Full 199-day explainer →

    When to start the renewal process

    Starting early gives you a buffer to resolve validation issues, DNS propagation delays, or CA support delays without racing against an expiry deadline. The right lead time depends on your certificate type:

    Certificate typeTypical issuance timeStart renewal atFor a 199-day cert
    DV (Domain Validation)Minutes30 days before expiryAround day 169
    OV (Organization Validation)1–3 business days45 days before expiryAround day 154
    EV (Extended Validation)3–7 business days45–60 days before expiryAround day 139–154
    Wildcard (DV or OV)Minutes to 3 days30–45 days before expiryAround day 154–169

    Set calendar reminders. With 199-day certificates, you will renew roughly every six months. Set a reminder 30 days before expiry at minimum — or better, use automated monitoring that alerts you at 30 and 14 days. Our free SSL Checker shows your certificate's exact expiry date.

    What you need before you start

    Gather these items before initiating renewal to avoid stopping mid-process:

    Access to generate a new CSR

    You can generate one using our free CSR Generator, your hosting control panel, or the OpenSSL command line.

    Open CSR Generator

    Your CA account login

    Log in to the CA or reseller account where you purchased the original certificate. This is where you submit the CSR and complete the renewal order.

    Server or panel access

    You will need to install the new certificate files on your server. For cPanel, Plesk, or DirectAdmin this is through the panel UI; for Apache, Nginx, or IIS it is through config files or GUI.

    Domain validation method ready

    For DV, you will need to pass domain control validation again (email, DNS TXT record, or file-based). For OV/EV, have your organization documents accessible for re-verification.

    The 5-step SSL certificate renewal process

    These steps apply to any commercially-issued SSL certificate — DV, OV, EV, wildcard, or multi-domain — from any CA.

    1

    Generate a new CSR (and new private key)

    A CSR (Certificate Signing Request) is an encrypted block of text containing your domain name, organization details, and the public key of a freshly generated key pair. Generating a new CSR produces a new private key — the recommended approach because it limits how long any single private key is in use.

    Generate the CSR through your hosting panel, our free CSR Generator, or OpenSSL:

    openssl req -newkey rsa:2048 -nodes \
  -keyout yourdomain.key \
  -out yourdomain.csr

    Store the generated .key file securely — you will need it to install the final certificate. See our full CSR generation guide for field-by-field instructions.

    2

    Submit the CSR to your CA and place the renewal order

    Log in to your CA account (or reseller account) and start the renewal process for the existing order. You will be prompted to paste your new CSR. Double-check that the Common Name in the CSR matches the domain on the order. If you are adding SANs or switching certificate type (e.g., single-domain to wildcard), this is the point to make that change.

    Complete payment if applicable. Once the order is confirmed, the CA moves to the validation stage.

    3

    Complete domain (and organization) validation

    Even on renewal, the CA must re-verify that you still control the domain. For DV certificates, choose one of:

    • DNS TXT record — add a CA-provided TXT record to your domain's DNS zone. Most flexible, works for wildcards.
    • File-based (HTTP-01) — upload a CA-provided file to a specific path on your web server.
    • Email — approve a verification email sent to a whois-listed or admin@ address. Note: email DCV is being phased out per CA/B Forum SC-090; confirm your CA still supports it.

    For OV and EV certificates, the CA also re-verifies your organization's legal existence and may contact you by phone or request updated documents. Plan for 1–7 business days.

    4

    Download the new certificate bundle

    Once validation passes, the CA issues the new certificate. Download the certificate bundle from your account — it typically contains:

    • Your domain certificate (.crt or .pem)
    • Intermediate CA certificate(s) — the chain that connects your cert to a trusted root
    • Sometimes a combined bundle file with all intermediates appended

    Keep the private key you generated in Step 1 — it is not included in the download and you cannot retrieve it from the CA. You need it for installation.

    5

    Install the new certificate on your server

    Install the new certificate and private key on every server or load balancer that handles HTTPS for the domain. Do not skip any servers — one stale certificate in a load-balanced pool causes intermittent browser errors.

    After installation, reload or restart the web service so it picks up the new certificate, then verify with an SSL checker that the new expiry date is visible. Full installation guides:

    cPanel Nginx Apache Plesk IIS 10+

    Renewal vs reissue — what's the difference?

    These terms are often used interchangeably but they mean different things:

    RenewalReissue
    What it isPurchase of a new certificate termNew certificate for an existing active order
    Extends validity?Yes — new validity period from date of issuanceNo — same expiry date as the original order
    Requires payment?Yes (or applies subscription credits)No — included free during the active term
    Common reasonCertificate expiring soonLost private key, server migration, adding SANs
    New CSR required?Yes (best practice)Yes (mandatory — key is not stored by CA)

    If your certificate has not expired and you simply need a new copy — because you changed server, lost the private key, or need to add a domain — use a reissue. If your certificate is expiring or expired, you need a renewal. After you renew and install, the original certificate can be revoked — see our Certificate Management guide for panel-based revocation steps.

    Platform-specific renewal notes

    The five-step process is the same everywhere; what differs is where you generate the CSR and where you paste the new certificate.

    cPanel

    Navigate to Security → SSL/TLS → Generate, View, Upload, or Delete SSL Certificates to get a new CSR. After the CA issues the cert, return to SSL/TLS → Install and Manage SSL to paste the new files. The AutoSSL feature handles free Let's Encrypt renewals automatically — manual renewal is only needed for commercial certs.

    cPanel SSL guide

    Plesk

    Under Websites & Domains → SSL/TLS Certificates, use Add SSL/TLS Certificate to generate a new CSR. After CA issuance, return to the same screen and paste the certificate, CA bundle, and private key. Plesk's built-in Let's Encrypt extension auto-renews free certs.

    Plesk SSL guide

    Nginx

    Generate the CSR with OpenSSL on the server. After CA issuance, overwrite the existing certificate and chain files referenced in your server block's ssl_certificate and ssl_certificate_key directives. Run nginx -t to validate config before reloading: sudo systemctl reload nginx.

    Nginx SSL guide

    Apache

    Generate the CSR with OpenSSL. After CA issuance, update the SSLCertificateFile, SSLCertificateKeyFile, and SSLCACertificateFile (or SSLCertificateChainFile) directives in your VirtualHost block. Test with apachectl configtest, then sudo systemctl reload apache2.

    Apache SSL guide

    Automating SSL certificate renewal

    With 199-day certificates becoming the norm — and 100-day certificates arriving in March 2027, followed by 47-day certificates in 2029 — manual renewal is increasingly impractical. Automation removes the risk of a missed renewal causing an outage.

    ACME / Certbot (free certs)

    The ACME protocol (RFC 8555) automates the full cycle: CSR generation, domain validation, certificate download, and installation. Certbot, acme.sh, and Caddy all implement it. Works with free Let's Encrypt certificates and some commercial CAs that support ACME. Renewal runs on a cron/systemd timer.

    Certbot & ACME production guide

    Expiry monitoring + reminders

    If you're not ready for full automation, at minimum set up expiry monitoring so you receive email alerts at 30 and 14 days before expiry. Many CAs send renewal reminders, but relying solely on CA emails is risky — spam filters block them. An independent monitoring tool is a safer backstop.

    Why expiration outages happen even when teams plan. The most common cause isn't forgetting — it's relying on a single point of awareness (one person's calendar, one CA email) that fails silently. See our deep dive on SSL certificate expiration outages for a systems-thinking approach to prevention.

    Post-renewal checklist

    After installing the new certificate, work through this checklist before considering the renewal complete:

    Verify the new expiry date with an SSL checker

    Confirm the date shown matches what the CA issued. Browsers cache old certificates briefly — test from a different network or use an online tool.

    Check every server in your fleet

    If you run multiple servers or a load balancer, confirm the new certificate is installed on all of them. A single server with the old cert will cause intermittent errors for users hitting that node.

    Verify the full certificate chain

    Confirm intermediate certificates are present. A missing intermediate causes "certificate not trusted" errors in some browsers and on mobile devices, even if the padlock shows for desktop Chrome.

    Test HTTPS from end to end

    Load your site in a private/incognito window with no cached state. Check that no browser warnings appear and that all pages load over HTTPS without mixed-content warnings.

    Update any pinned certificates

    If you use certificate pinning in a mobile app or HTTP client, update the pin before the old certificate expires. Failing to do so will break all connections from pinned clients the moment the old cert is revoked.

    Revoke the old certificate (optional but recommended)

    Once the new certificate is confirmed working, revoke the old one through your CA account. This removes it from the valid-certificate pool, protecting against any scenario where the old private key was compromised.

    Update your renewal calendar reminder

    Set a new reminder based on the new certificate's expiry date — not the old one. With 199-day certificates, your renewal rhythm is now roughly every 5–6 months.

    Ready to renew?

    Browse our certificate options — DV SSL starts from $3.99/year and issues within minutes after domain validation.

    DV SSL certificates View all pricing

    Frequently asked questions