How to Renew an SSL Certificate Before It Expires (2026 Guide)
SSL certificates don't last forever. As of 2024, the maximum validity period for a publicly trusted SSL certificate is 398 days — just over 13 months. Miss the renewal window and your site goes from a reassuring padlock to a full-page browser warning blocking every visitor. Not great for business, and definitely not great for your morning.
Free SSL Checker
Check how many days are left on your current certificate before renewing.
Try It Free →2 Submit the CSR to Your CA
Log in to your CA's dashboard (Sectigo, DigiCert, Namecheap, etc.) and find the renewal option for your certificate. Paste the contents of your .csr file when prompted. Complete domain validation — for DV certificates this is usually a DNS TXT record or a quick email link.
3 Download and Install the New Certificate
Once issued, download the certificate bundle. Then replace the old certificate files on your server:
Option B: Renew a Let's Encrypt Certificate (Certbot)
Let's Encrypt certificates are valid for 90 days and are designed to be renewed automatically. If you installed with Certbot, the renewal cron job should already be set up. You can verify and manually trigger it:
1 Check the Auto-Renewal Timer
If the timer is active, Certbot runs twice daily and renews any certificate within 30 days of expiry automatically. You shouldn't need to do anything.
2 Force a Manual Renewal
If you want to renew now regardless of expiry date, or if auto-renewal failed:
3 Renew a Specific Domain Only
Option C: Renew via cPanel
For shared hosting, log in to cPanel and navigate to Security → SSL/TLS → Manage SSL sites. If your host uses AutoSSL (Let's Encrypt), click Run AutoSSL to trigger an immediate renewal check. For a paid certificate, generate a new CSR under SSL/TLS → Certificate Signing Requests, submit it to your CA, and then install the new certificate files using the same SSL/TLS manager interface.
After Renewal: Verify Everything
Don't assume it worked. After the reload, run your domain through the SSL Checker again and confirm the new expiry date is showing correctly. Also check that the certificate chain is complete — a renewed certificate from a different CA or with a different intermediate can sometimes break the chain without triggering an obvious error.
Common Renewal Mistakes
- Replacing the certificate but forgetting the chain file. Your site will work in most browsers but will show errors on older Android devices and some corporate proxies that don't have the intermediate CA in their trust store.
- Using the old private key with a new certificate from a different key size. If you renewed from RSA 2048 to RSA 4096 (or switched to ECC), you must update both the certificate and the key on the server.
- Not reloading the web server. The server continues serving the old certificate from memory until you reload or restart it.
apachectl configtestpassing doesn't mean the new cert is live yet. - Renewing too early and expecting the new validity window to extend from the renewal date. Most CAs start the new validity period from the time of issuance, not from the old certificate's expiry date. Renewing 60 days early means losing ~60 days of validity on the new cert.
FAQs
- Does SSL renewal cause any downtime?
No. You install the new certificate files while the old one is still valid and then do a graceful reload of your web server. There's no interruption to live traffic. - Do I need to change my DNS settings when renewing?
Not unless your CA requires DNS-based validation for the new certificate. If you already validated by DNS TXT record last time, you may need to add a new TXT record with a new value. - My certificate renewed but the old expiry date is still showing in the browser. Why?
Browsers cache TLS sessions. Try clearing the browser cache, or test from a private/incognito window — or use the SSL Checker which always fetches fresh from the server. - Can I switch to a different CA when renewing?
Yes. Generate a new CSR, submit to the new CA, and install the new certificate. Just make sure you have the new CA's chain file — the certificate format is standardized, but the chain files differ between CAs.
Renewing SSL Certificates on Windows Server
On Windows Server with IIS, certificate renewal depends on how the original certificate was obtained: Certbot for Windows, a commercial CA renewal, or Windows Server Certificate Manager (for internal PKI).
Option A: Certbot for Windows (Let's Encrypt)
Certbot has a Windows installer available at certbot.eff.org. After installation, renew from an elevated Command Prompt:
C:\Certbot\renewal-hooks\deploy\reload-iis.bat:Option B: Commercial CA Renewal via PFX Import
For certificates from DigiCert, Sectigo, or similar CAs, renewal gives you a new certificate file. Import it and rebind it in IIS:
certlm.msc → Personal → Certificates, right-click the old cert, and delete it.
Renewing SSL Certificates on macOS
Let's Encrypt with Certbot (Homebrew)
Automated Renewal via launchd
Create a launchd plist to auto-renew twice daily (the standard recommended frequency):
Check your certificate's expiry date
Find out exactly how many days you have left before renewal is urgent — and check the full certificate chain at the same time.