Does renewing SSL certificate require re-issuing the cert?

security ubuntu ssl nginx https
12,544

Solution 1

It's not possible to extend the expiration of an existing certificate once issued. The only way is to issue a new certificate.

Most certificate authorities offers a "renewal" concept, which provides some advantages compared to a new purchase. For example, you can renew in advance to the certificate expiration, and they will issue the new certificate from the expiration of the previous one, and not from the day the new one is issued.

The re-issue or re-key is a different thing. It generally means re-keying an existing certificate order with a different private key and/or CSR. It generally doesn't change the expiration of the certificate, hence it's not a renewal. Both renews and rekeys result in a new certificate (again, it's not possible to change an existing certificate once issued), but the rekey only alters the certificate information and not the expiration.

A renewal can be issued with the same original CSR and key, or with a completely new one. It's up to you.

As in all cases a new certificate is issued, you will have to replace the existing one. Replacing a certificate is generally a no-downtime task. You simply upload the new one, change the server settings and reload them (or restart the server).

Most webservers including Nginx supports hot reloads, therefore you don't need to restart the server and wait for it to reboot.

If planned correctly, the renewal will be a no downtime task.

Solution 2

To get the new one you might or might not need to submit a new CSR, depending on the CA. But in any case you get a new certificate file and need to replace the existing certificate on your server with a new one. See also https://www.digicert.com/ssl-certificate-renewal.htm

Solution 3

Renewal of SSL certificate keeps security on your website alive along with your verified identity. The lapse in renewal can cause a warning on your website and warns your customers to move away from your site.

It depends on the SSL provider that you should continue with old CSR or generate new CSR, but it is recommended to create a new one to get rid of misconfiguration. However, it is a myth that your server will face downtime in the renewal of SSL certificate.

Certificate renewal and re-issuance both are different terms. Certificate renewal happens after the expiry of a certificate, while certificate re-issuance in the case of lost of a private key, want to change the domain/organization name or add new SAN names.

Most certificate providers are sending renewal reminder email frequently before certificate expiry. So, It is advisable to renew your certificate earlier, you can take advantage of getting additional validity period from early renewals.

This article may help you to understand the certificate renewal process. https://www.ssl2buy.com/wiki/how-to-renew-ssl-certificate/

Share:
12,544
alybadawy
Author by

alybadawy

A Brooklyn-based IT specialist and a solutions developer specializing at open-source environments like: Unix, nGinx, PHP, Ruby and other programming languages. I also develop applications for MAC OS X and iOS devices. Have an extended experience in system administration and networking too.

Updated on July 06, 2022

Comments

  • alybadawy
    alybadawy almost 2 years

    I have an SSL certificate that I am using to secure port 443 (HTTPS) on my nginx server running on Ubuntu for about 10 months now.

    When I bought the cert, I got it for one year, so I have about 2 more months with this certificate. My question is: "When I renew this cert, Will I just need to pay for renewal? or will I have to re-issue the cert with a new CSR, and have a potential downtime while installing?

    I need to plan for any downtime from now.

    Thanks in advance for your answers.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Error code: ssl_error_rx_record_too_long on nginx ubuntu server
Restart webserver without entering a password?
Cannot connect to HTTPS port on Ubuntu
Nginx config to proxy pass to external ip and port (https -> http)
Redirect HTTP to HTTPS from Nginx is not working
How to enable HTTPS for Zabbix
How to fix PR_END_OF_FILE_ERROR when using nginx with ssl?
Nginx server closes ssl connection for some clients
Why do I get browser warnings on my new lets encrypt ssl setup?
SSL session persistence and secure cookies