Commercial SSL Certificate Renewal

Master the renewal of your paid SSL certificates.

Commercial SSL certificate renewal is a critical operation that requires rigorous planning. Unlike free certificates like Let's Encrypt, paid certificates often involve more complex validation processes.

An expired certificate causes immediate service interruption with scary security warnings for your visitors. The loss of trust and business can be considerable.

This guide walks you through all renewal steps, from timing to new certificate installation.

Understanding Renewal

Commercial certificate renewal follows a precise process:

  • Anticipation: start the process 30 to 60 days before expiration to have time for unforeseen issues.
  • Revalidation: depending on certificate type (DV, OV, EV), you'll need to prove domain ownership or organization existence again.
  • New CSR: generate a new CSR with a fresh private key for optimal security.
  • Installation: replace the old certificate with the new one and verify the complete chain.

Benefits of Early Renewal

Why not wait until the last minute:

  • Zero interruption: by anticipating, you have time to resolve issues without production impact.
  • Easier validation: CAs sometimes have processing delays, especially for OV/EV certificates.
  • Staging testing: you can test the new certificate before deploying to production.
  • Available support: if there's an issue, you have time to contact the provider's support.

Renewal Steps

Follow this process for successful renewal:

  1. Check expiration: identify the exact expiration date with MoniTao or openssl s_client.
  2. Generate new CSR: create a new key pair and generate the corresponding CSR.
  3. Submit renewal: use your provider's portal to submit the CSR and pay for renewal.
  4. Complete validation: perform required validation steps (email, DNS, HTTP file).

Useful Commands

Check and generate necessary elements:

# Check current expiration date
openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# Generate new private key
openssl genrsa -out private.key 2048

# Generate CSR
openssl req -new -key private.key -out domain.csr

# Verify CSR
openssl req -text -noout -verify -in domain.csr

These commands help prepare renewal and verify generated elements.

Best Practices

Tips for optimal renewal:

  • Automate reminders: use MoniTao to receive alerts 60, 30 and 14 days before expiration.
  • Document the process: keep a checklist of steps specific to your infrastructure.
  • Keep old certificates: archive old certificates in case a rollback is needed.
  • Test after installation: verify the complete chain with SSL Labs after each renewal.

Renewal Checklist

  • Expiration date verified
  • New CSR generated
  • Renewal ordered and paid
  • Validation completed
  • New certificate installed
  • Chain and configuration tested

Frequently Asked Questions

How long before expiration should I renew?

Ideally 30 to 60 days before for commercial certificates. This leaves time for validation and unforeseen issues.

Can I use the same CSR?

Technically yes, but generating a new key pair is recommended for security.

What happens if my certificate expires?

Browsers will display a scary security warning and many visitors will leave your site.

Is EV validation longer?

Yes, EV validation can take 1 to 5 business days as it involves thorough organization verification.

Can MoniTao alert me before expiration?

Yes, MoniTao monitors your certificates and automatically alerts you at D-30, D-14 and D-7 before expiration.

Do I need to reinstall intermediates?

Yes, always download the current intermediate bundle from your CA during renewal.

Anticipate Your Renewals

Commercial SSL certificate renewal should never be a last-minute emergency. Adequate planning ensures zero service interruption.

With MoniTao, automate certificate monitoring and never miss a renewal deadline again.

Useful Links

Ready to Sleep Soundly?

Start free, no credit card required.

Create My Account See pricing