← Back to Blog
tutorial

How to Renew an SSL Certificate Before It Expires (2026 Guide)

SSL certificates don't last forever. As of 2024, the maximum validity period for a publicly trusted SSL certificate is 398 days — just over 13 months. Miss the renewal window and your site goes from a reassuring padlock to a full-page browser warning blocking every visitor. Not great for business, and definitely not great for your morning.

🔒

Free SSL Checker

Check how many days are left on your current certificate before renewing.

Try It Free →

2 Submit the CSR to Your CA

Log in to your CA's dashboard (Sectigo, DigiCert, Namecheap, etc.) and find the renewal option for your certificate. Paste the contents of your .csr file when prompted. Complete domain validation — for DV certificates this is usually a DNS TXT record or a quick email link.

3 Download and Install the New Certificate

Once issued, download the certificate bundle. Then replace the old certificate files on your server:

# Back up the old certificate first sudo cp /etc/ssl/certs/yourdomain.crt /etc/ssl/certs/yourdomain.crt.bak # Copy in the new certificate and chain sudo cp new_yourdomain.crt /etc/ssl/certs/yourdomain.crt sudo cp new_yourdomain.ca-bundle /etc/ssl/certs/yourdomain.ca-bundle # Replace the private key only if you generated a new one sudo cp yourdomain.key /etc/ssl/private/yourdomain.key # Test config and reload sudo apachectl configtest && sudo systemctl reload apache2 # OR for Nginx: sudo nginx -t && sudo systemctl reload nginx

Option B: Renew a Let's Encrypt Certificate (Certbot)

Let's Encrypt certificates are valid for 90 days and are designed to be renewed automatically. If you installed with Certbot, the renewal cron job should already be set up. You can verify and manually trigger it:

1 Check the Auto-Renewal Timer

# Check if the systemd timer is active sudo systemctl status certbot.timer # Or check the cron entry sudo crontab -l | grep certbot

If the timer is active, Certbot runs twice daily and renews any certificate within 30 days of expiry automatically. You shouldn't need to do anything.

2 Force a Manual Renewal

If you want to renew now regardless of expiry date, or if auto-renewal failed:

# Dry run first (tests renewal without making changes) sudo certbot renew --dry-run # If dry run passes, force renew all certificates sudo certbot renew --force-renewal # Reload the web server after renewal sudo systemctl reload apache2 # or nginx

3 Renew a Specific Domain Only

# List all managed certificates sudo certbot certificates # Renew just one domain sudo certbot renew --cert-name yourdomain.com

Option C: Renew via cPanel

For shared hosting, log in to cPanel and navigate to Security → SSL/TLS → Manage SSL sites. If your host uses AutoSSL (Let's Encrypt), click Run AutoSSL to trigger an immediate renewal check. For a paid certificate, generate a new CSR under SSL/TLS → Certificate Signing Requests, submit it to your CA, and then install the new certificate files using the same SSL/TLS manager interface.

After Renewal: Verify Everything

Don't assume it worked. After the reload, run your domain through the SSL Checker again and confirm the new expiry date is showing correctly. Also check that the certificate chain is complete — a renewed certificate from a different CA or with a different intermediate can sometimes break the chain without triggering an obvious error.

Set a reminder now. Before you close this tab, set a calendar alert for 30 days before the new expiry date. Certificate renewal is one of those tasks that's easy until you forget it.

Common Renewal Mistakes

  • Replacing the certificate but forgetting the chain file. Your site will work in most browsers but will show errors on older Android devices and some corporate proxies that don't have the intermediate CA in their trust store.
  • Using the old private key with a new certificate from a different key size. If you renewed from RSA 2048 to RSA 4096 (or switched to ECC), you must update both the certificate and the key on the server.
  • Not reloading the web server. The server continues serving the old certificate from memory until you reload or restart it. apachectl configtest passing doesn't mean the new cert is live yet.
  • Renewing too early and expecting the new validity window to extend from the renewal date. Most CAs start the new validity period from the time of issuance, not from the old certificate's expiry date. Renewing 60 days early means losing ~60 days of validity on the new cert.

FAQs

  • Does SSL renewal cause any downtime?
    No. You install the new certificate files while the old one is still valid and then do a graceful reload of your web server. There's no interruption to live traffic.
  • Do I need to change my DNS settings when renewing?
    Not unless your CA requires DNS-based validation for the new certificate. If you already validated by DNS TXT record last time, you may need to add a new TXT record with a new value.
  • My certificate renewed but the old expiry date is still showing in the browser. Why?
    Browsers cache TLS sessions. Try clearing the browser cache, or test from a private/incognito window — or use the SSL Checker which always fetches fresh from the server.
  • Can I switch to a different CA when renewing?
    Yes. Generate a new CSR, submit to the new CA, and install the new certificate. Just make sure you have the new CA's chain file — the certificate format is standardized, but the chain files differ between CAs.

Renewing SSL Certificates on Windows Server

Windows Server IIS

On Windows Server with IIS, certificate renewal depends on how the original certificate was obtained: Certbot for Windows, a commercial CA renewal, or Windows Server Certificate Manager (for internal PKI).

Option A: Certbot for Windows (Let's Encrypt)

Certbot has a Windows installer available at certbot.eff.org. After installation, renew from an elevated Command Prompt:

:: Check what certificates are installed certbot certificates :: Renew all certificates due for renewal certbot renew :: Renew a specific certificate (by domain) certbot renew --cert-name yourdomain.com :: Test renewal without making changes certbot renew --dry-run
Certbot on Windows does not auto-reload IIS after renewal. Set up a scheduled task or add a post-renewal hook to restart the W3SVC service. Create a file at C:\Certbot\renewal-hooks\deploy\reload-iis.bat:
@echo off :: Post-renewal hook: reload IIS after certificate update net stop W3SVC net start W3SVC

Option B: Commercial CA Renewal via PFX Import

For certificates from DigiCert, Sectigo, or similar CAs, renewal gives you a new certificate file. Import it and rebind it in IIS:

# Import new PFX from your CA (run in elevated PowerShell) $password = ConvertTo-SecureString "yourExportPassword" -AsPlainText -Force $cert = Import-PfxCertificate ` -FilePath "C:\inetpub\ssl\yourdomain-renewed.pfx" ` -CertStoreLocation Cert:\LocalMachine\My ` -Password $password Write-Host "New certificate thumbprint: $($cert.Thumbprint)" Write-Host "Expires: $($cert.NotAfter)" # Update IIS binding to use the new certificate Import-Module WebAdministration $binding = Get-WebBinding -Name "Default Web Site" -Protocol https -Port 443 $binding.AddSslCertificate($cert.Thumbprint, "My") # Verify the binding is updated Get-WebBinding -Name "Default Web Site" | Format-List
Remove the old certificate after renewal: Once you confirm the new cert is working, remove the expired one from the Windows Certificate Store: open certlm.msc → Personal → Certificates, right-click the old cert, and delete it.

Renewing SSL Certificates on macOS

macOS Homebrew

Let's Encrypt with Certbot (Homebrew)

# Install Certbot via Homebrew brew install certbot # Renew all due certificates sudo certbot renew # Renew a specific certificate sudo certbot renew --cert-name yourdomain.com # After renewal, reload Homebrew Apache or Nginx: brew services restart httpd # Apache brew services restart nginx # Nginx

Automated Renewal via launchd

Create a launchd plist to auto-renew twice daily (the standard recommended frequency):

sudo tee /Library/LaunchDaemons/com.certbot.renew.plist <<'EOF' <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.certbot.renew</string> <key>ProgramArguments</key> <array> <string>/opt/homebrew/bin/certbot</string> <string>renew</string> <string>--quiet</string> </array> <key>StartCalendarInterval</key> <array> <dict><key>Hour</key><integer>0</integer><key>Minute</key><integer>0</integer></dict> <dict><key>Hour</key><integer>12</integer><key>Minute</key><integer>0</integer></dict> </array> </dict> </plist> EOF sudo launchctl load /Library/LaunchDaemons/com.certbot.renew.plist

Check your certificate's expiry date

Find out exactly how many days you have left before renewal is urgent — and check the full certificate chain at the same time.