How to Renew an SSL Certificate
Renewing an SSL/TLS certificate means obtaining a fresh certificate before the current one expires and installing it on your server. Certificates are valid for a fixed period — 90 days for Let's Encrypt, up to about a year for many commercial CAs — so renewal is a recurring task, not a one-time setup. The goal is simple: never let a certificate lapse, because an expired one takes the site offline for everyone.
When to renew
Renew before expiry, not on the day. A widely used rule is to renew about 30 days out, which leaves a buffer if something fails. Automated tools like Certbot renew even earlier — typically when a certificate has 30 days left — and simply do nothing if it is not yet time.
How to renew: automated (recommended)
The modern default is automatic renewal over the ACME protocol (RFC 8555), used by Let's Encrypt and other free CAs. A client such as Certbot proves you still control the domain, fetches a new certificate, and reloads the server — unattended.
# renew everything that is close to expiry
sudo certbot renew
# test what renewal would do, without changing anything
sudo certbot renew --dry-run
Certbot installs a scheduled timer that runs this for you, so in practice a correctly set-up server renews itself. Your job is to confirm the timer is active and that a reload hook restarts the web server after renewal.
How to renew: manual / commercial CA
For a paid certificate the steps are:
- Generate a new CSR (Certificate Signing Request) and private key on your server.
- Submit the CSR to your CA and complete domain validation.
- Download the issued certificate together with its intermediate bundle.
- Install the certificate and full chain, then reload the web server.
Always install the intermediates too, or you will trade an expired certificate for a broken chain.
Verify the renewal worked
# confirm the new expiry date
openssl s_client -connect example.com:443 -servername example.com | openssl x509 -noout -dates
Or run the domain through the free SSL certificate checker to confirm the new expiry, a complete chain, and that the hostname still matches.
Common renewal mistakes
- Renewing but not reloading. A new certificate on disk does nothing until the web server is reloaded to pick it up.
- Auto-renewal silently broken. A changed web root or firewall rule can make ACME validation fail for months without anyone noticing — until expiry. This is exactly what SSL certificate monitoring catches.
- Dropping the intermediates. Installing only the leaf certificate leaves an incomplete chain that fails for some clients.
Related SSL guides
Renewal is part of a certificate's lifecycle: keep an eye on expiry with monitoring, understand the chain you must install, and know how to diagnose an invalid certificate if renewal goes wrong.
Frequently asked questions
How often do I need to renew an SSL certificate?
It depends on the certificate's lifetime — every 90 days for Let's Encrypt, up to roughly a year for many commercial certificates. Automating renewal removes the need to track it by hand.
Does renewing change my private key?
It can. A straight renewal may reuse the key, while a reissue generates a new one. Regenerating the key on renewal is good hygiene and is the default for many ACME setups.
What happens if my certificate expires?
Browsers block the site with a security warning and most visitors leave immediately. There is no grace period — renew before the expiry date to avoid downtime.