SSL (and its successor, TLS) encrypts the connection between your web server and those accessing your website. This way, if your connection is intercepted by a bad actor, they won’t be able to view or modify any data transferred between the two computers.
SSL/TLS protection is expected from all websites today, so much so that many web hosting services include a basic SSL certificate for free with the purchase of a plan. You can also easily purchase and install an SSL certificate yourself, or acquire one for free.
However, cybersecurity is never a one-and-done process — it’s a persistent effort to harden your website and protect your users. As such, SSL certificates don’t last forever. After a certain period, you’ll have to install a new one to maintain the same protection. In this post, we’ll show you how to do so yourself.
Why do I need to renew my SSL certificate?
Most SSL certificates expire after one to two years, depending on the type of certificate you’re using and your certificate authority (CA), the organization that issued your SSL certificate. A notable exception to this is the popular CA Let’s Encrypt, whose certificates expire after 90 days.
When your SSL certificate expires, it’s out of commission — you can’t “extend” it. Instead, you’ll need to replace it with a new SSL certificate, also called a “renewal” SSL certificate. There are two main reasons why SSL certificates must be replaced at least every two years:
- A new certificate ensures that the encryption used is up to the latest security standards.
- It’s more difficult for hackers to compromise a key if it’s continually replaced.
Beyond these practical reasons, there’s another big incentive to update your SSL encryption: Your visitors will know if your website uses an expired SSL certificate. When they try to load your site, they might see a warning like this:
If you want visitors to head somewhere else, this is a great way to do it. Otherwise, make sure that you renew your SSL certificate when you can — it keeps your site protected and your visitors happy.
How to Renew an SSL Certificate
- Set reminders for SSL expiration.
- Generate a Certificate Signing Request.
- Purchase and activate your new SSL certificate.
- Complete domain control validation.
- Install your new SSL certificate.
First things first: If your CA, hosting provider, or website builder offers automatic updates for your SSL certificate, let it handle this process for you. It’s one less thing for you to worry about, and eliminates the chance of your certificate expiring on your live site. For, CMS Hub users, your SSL certificate will be automatically renewed 30 days before it expires.
If automatic renewals aren’t available to you, or if you’d prefer to complete the process manually, it’s easy to replace your SSL certificate when the time comes.
The exact steps will depend on your SSL certificate provider, so consult your provider’s documentation for SSL and contact support if needed. However, the process across providers is similar. Below, we’ll explain the general steps to keep your SSL certificate up to date. It doesn’t matter if your SSL certificate is still valid or if it has already expired — the process is the same.
1. Set reminders for SSL expiration.
Most certificate providers can send email alerts reminding you when your certificate is soon to expire. These emails link directly to the page where you can purchase a renewal certificate.
Before you need to update your certificate, enable these email alerts, and complete the renewal process when you start seeing them in your inbox. Avoid putting off your renewal, as requests for more expensive certificates may take a week or more to approve and leave you temporarily without SSL protection.
2. Generate a Certificate Signing Request.
A Certificate Signing Request (CSR) is a unique, encrypted block of text containing information about your site that the CA needs to issue a new SSL certificate. It includes your domain name, your organization name, and geographic information. Your CSR will look something like this:
You must generate a new CSR to renew your SSL certificate — an old CSR won’t work. Depending on your host, you may be able to generate your CSR with your hosting administrator panel. Try looking under your Security menu for an SSL/TLS option. Here, you may see a prompt to generate a CSR.
If you do not have access to this option, reach out to your hosting provider for a CSR.
3. Purchase and activate your new SSL certificate.
With your CSR generated, you can now purchase a new SSL certificate from your CA or another provider of choice. Follow the prompts and supply all the requested information, including the CSR you acquired in the previous step.
4. Complete domain control validation.
Activating your SSL certificate doesn’t protect your site just yet. There’s another validation step before your new certificate can take effect.
Domain control validation (DCV) is one more protective measure taken by your CV to ensure that you are who you say you are, and that you own the domain you’re requesting protection for.
Your CA will offer multiple ways to confirm your identity, but most will offer an option to validate via email. With this method, you’ll receive an email at the address linked to your website. Follow the instructions in the email to complete DCV.
Note that owners of organization validated certificates and extended validated certificates will need to submit additional documents to complete validation.
5. Install your new SSL certificate.
Once your DCV is complete, you’ll receive your SSL certificate files. Based on your certificate type, validation could take anywhere from an hour to several weeks — plan your renewal accordingly.
If you’re requesting a new certificate from your host, your certificate should be added to your site automatically. If not, refer to your server’s documentation for uploading and placing your SSL certificate on your server. Then, check all of your pages for “https” in the URL and the padlock icon in the browser bar.
Security updates are annoying. Do them anyway.
SSL encryption renewal is one of those tasks that appears every one or two years and can easily slip through the cracks if you’re not paying attention.
That’s why it’s best to enable automatic renewals if you can. If not at least opt into email notifications and replace your certificate as soon as possible. When it’s time, the process shouldn’t take long, and is more than worth it for the industry-standard protection you receive.