Each SSL certificate has a validity period. The default validity period is one year. You must renew a certificate before it expires. Otherwise, the certificate becomes untrusted after it expires. The access requests to a website that uses the certificate are affected. For example, a massage is displayed to indicate that a connection to the website is not secure or the website cannot be accessed. This topic describes how to renew a certificate in the Certificate Management Service console.

Remaining validity period of an existing certificate

The validity period of a renewed certificate starts from the expiration date of the existing certificate. For example, an existing certificate expires on June 1, 2022. If the certificate is renewed and the renewed certificate is issued at May 25, 2022, the validity period of the renewed certificate is June 1, 2022 to June 1, 2023.

Notice In the following scenarios, the remaining validity period of the existing certificate cannot be added to the validity period of the renewed certificate:
  • The specifications of the renewed certificate are different from the specifications of the existing certificate. The specifications include Domain Type, Certificate Type, and Certificate Specifications.

    In this case, the renewed certificate is recognized as a newly purchased certificate. As a result, the remaining validity period of the existing certificate cannot be added to the validity period of the renewed certificate.

  • The existing certificate is a third-party certificate that is uploaded.

Limits

  • The existing certificate that you want to renew must be issued by GlobalSign.

    You can renew only certificates that are issued by GlobalSign.

  • The existing certificate must be in the Pending Expiration state.

    The Renewal purchase button is available only within 30 calendar days before the certificate expires.

Renew an Alibaba Cloud certificate

If your certificate is purchased and issued by using Certificate Management Service, you can manually renew the certificate when it is in the Pending Expiration state. To renew a certificate, perform the following operations:

  1. Log on to the SSL Certificates Service console.
  2. On the Manage Certificates tab of the SSL Certificates page, click the certificate status drop-down list above the certificate list and select Pending Expiration.
    This operation displays all the certificates that meet the renewal conditions.

    If the certificate list is empty after you perform this operation, you do not have a certificate in the Pending Expiration state, and you do not need to renew a certificate.

  3. Find the certificate that you want to renew and click Renewal purchase in the Actions column.
  4. Complete the payment as prompted.
    In the Certificate Renewal panel, the system automatically specifies the same values for the parameters as those of the certificate you want to renew. You do not need to modify the configurations. If you modify the configurations, the specifications of the renewed certificate are different from the specifications of the existing certificate. After the renewed certificate is issued, the remaining validity period of the existing certificate cannot be added to the validity period of the renewed certificate.
    1. In the Certificate Renewal panel, click Buy Now.
    2. Confirm the order and complete the payment.
    3. Go back to the Certificate Management Service console and check whether the payment is complete.
    After the existing certificate is renewed, the renewed certificate appears below the existing certificate that is due to expire. The new icon appears on the left of the renewed certificate. The icon indicates that the renewed certificate is associated with the existing certificate.

    The renewed certificate is in the Pending Application state. You must submit a certificate application. After the certificate authority (CA) approves the certificate application, the CA issues the renewed certificate to you.

Renew an uploaded third-party certificate

If your certificate is purchased and issued by using a third-party platform and is uploaded to the Certificate Management Service console for centralized management, you can perform the following operations to renew the certificate when it is due to expire. For more information about how to upload a certificate, see Upload a certificate.

Notice When you renew an uploaded third-party certificate by using Certificate Management Service, the validity period of the renewed certificate is one year starting from the day when the renewed certificate is issued. Alibaba Cloud does not add the remaining validity period of the existing certificate to the validity period of the renewed certificate.
  1. Log on to the SSL Certificates Service console.
  2. On the SSL Certificates page, click the Manage Uploaded Certificates tab.
  3. On the Manage Uploaded Certificates tab, select Pending Expiration from the certificate status drop-down list above the certificate list.
    This operation displays all the certificates that meet the renewal conditions.

    If the certificate list is empty after you perform this operation, you do not have a certificate in the Pending Expiration state, and you do not need to renew a certificate.

  4. Find the certificate that you want to renew and click Renewal purchase in the Actions column.
  5. Complete the payment as prompted.
    1. In the Renew panel, select a certificate whose specifications are the same as the existing certificate and click Buy Now. The specifications include Domain Type, Certificate Type, and Certificate Specifications.
    2. Confirm the order and complete the payment.
    3. Go back to the Certificate Management Service console and check whether the payment is complete.
    After the existing certificate is renewed, the renewed certificate appears below the existing certificate that is due to expire. The new icon appears on the left of the renewed certificate. The icon indicates that the renewed certificate is associated with the existing certificate.

    The renewed certificate is in the Pending Application state. You must submit a certificate application. After the certificate authority (CA) approves the certificate application, the CA issues the renewed certificate to you.

What to do next

After you renew a certificate, you must perform the following operations to ensure that the renewed certificate can be deployed to an Alibaba Cloud service or installed on a web server in a timely manner:

  1. Submit a certificate application for the renewed certificate.
    For more information, see Submit a certificate application.
  2. After the renewed certificate is issued, deploy the certificate to your Alibaba Cloud service or install the certificate on your web server.
    For more information, see Installation overview.
  3. After the certificate is deployed or installed, perform the following operations to check whether the renewed certificate takes effect:

    After the renewed certificate is installed on your web server, you can check whether the certificate takes effect by performing the following operations: Visit your website by using a web browser. Then, click the Security lock icon in the address bar of your browser. If the validity period of the renewed certificate appears, the renewed certificate takes effect.

    On a Linux server, you can also run the following command to view the validity period of the renewed certificate:
    # In the following command, the domain name is www.aliyundoc.com. You must replace www.aliyundoc.com with your actual domain name. 
echo | openssl s_client -servername www.aliyundoc.com -connect www.aliyundoc.com:443 2>/dev/null | openssl x509 -noout -dates

What do I do if I cannot find the Renewal purchase button for a certificate that is about to expire?

If you cannot find the Renewal purchase button in the Actions column for a certificate that is in the Pending Expiration state, the certificate has been renewed. The renewed certificate is marked new below the existing certificate.
Note You must submit a certificate application for the renewed certificate in a timely manner to ensure that users can access your website. For more information about how to apply for a certificate, see Submit a certificate application.