Each SSL certificate has a validity period. The default validity period is one year. You must renew a certificate before it expires. Otherwise, the certificate becomes untrusted after it expires. The services provided by a website that uses the certificate are affected. For example, a massage is displayed to indicate that a connection to the website is not secure or the website cannot be accessed. This topic describes how to renew a certificate that is due to expire in the Certificate Management Service console.

Remaining validity period of an existing certificate

The renewed certificate expires one year later than the day when the existing certificate expires. Alibaba Cloud automatically adds the remaining validity period of the existing certificate to the validity period of the renewed certificate. For example, an existing certificate whose validity period is one year will expire on June 1, 2022. If the certificate is renewed and issued at May 25, 2022, the day when the renewed certificate will expire is six days later than May 25, 2023. The renewed certificate will expire on June 1, 2023.

Notice In the following scenarios, the remaining validity period of the existing certificate cannot be added to the validity period of the renewed certificate:
  • The specifications of the renewed certificate are different from the specifications of the existing certificate. The specifications include Domain Type, Certificate Type, and Certificate Specifications.

    In this case, the renewed certificate is recognized as a newly purchased certificate. As a result, the remaining validity period of the existing certificate cannot be added to the validity period of the renewed certificate.

  • The existing certificate is a third-party certificate that is uploaded.

Prerequisites

  • The existing certificate that you want to renew is issued by GlobalSign.

    You can renew only certificates that are issued by GlobalSign.

  • The existing certificate is in the Pending Expiration state.

    The Renewal purchase button is available only within 30 calendar days before the certificate expires.

Renew an Alibaba Cloud certificate

If your certificate is purchased and issued by using Certificate Management Service, you can manually renew the certificate when it is in the Pending Expiration state. To renew a certificate, perform the following operations:

  1. Log on to the SSL Certificates Service console.
  2. On the Manage Certificates tab of the SSL Certificates page, click the certificate status drop-down list above the certificate list and select Pending Expiration.
    This operation displays all the certificates that meet the renewal conditions.

    If the certificate list is empty after you perform this operation, you do not have a certificate in the Pending Expiration state, and you do not need to renew a certificate.

  3. Find the certificate that you want to renew and click Renewal purchase in the Actions column.
  4. Complete the payment as prompted.
    In the Certificate Renewal panel, the system automatically specifies the same values for the parameters as those of the certificate you want to renew. You do not need to modify the configurations. If you modify the configurations, the specifications of the renewed certificate are different from the specifications of the existing certificate. After the renewed certificate is issued, the remaining validity period of the existing certificate cannot be added to the validity period of the renewed certificate.
    1. In the Certificate Renewal panel, click Buy Now.
    2. Confirm the order and complete the payment.
    3. Go back to the Certificate Management Service console and check whether the payment is complete.
    After the existing certificate is renewed, the renewed certificate appears below the existing certificate that is due to expire. The new icon appears on the left of the renewed certificate. The icon indicates that the renewed certificate is associated with the existing certificate.

    The renewed certificate is in the Pending Application state. You must submit a certificate application. After the certificate authority (CA) approves the certificate application, the CA issues the renewed certificate to you.

Renew an uploaded third-party certificate

If your certificate is purchased and issued by using a third-party platform and is uploaded to the Certificate Management Service console for centralized management, you can perform the following operations to renew the certificate when it is due to expire. For more information about how to upload a certificate, see Upload a certificate.

Notice When you renew an uploaded third-party certificate by using Certificate Management Service, the validity period of the renewed certificate is one year starting from the day when the renewed certificate is issued. Alibaba Cloud does not add the remaining validity period of the existing certificate to the validity period of the renewed certificate.
  1. Log on to the SSL Certificates Service console.
  2. On the SSL Certificates page, click the Manage Uploaded Certificates tab.
  3. On the Manage Uploaded Certificates tab, select Pending Expiration from the certificate status drop-down list above the certificate list.
    This operation displays all the certificates that meet the renewal conditions.

    If the certificate list is empty after you perform this operation, you do not have a certificate in the Pending Expiration state, and you do not need to renew a certificate.

  4. Find the certificate that you want to renew and click Renewal purchase in the Actions column.
  5. Complete the payment as prompted.
    1. In the Renew panel, select a certificate whose specifications are the same as the existing certificate and click Buy Now. The specifications include Domain Type, Certificate Type, and Certificate Specifications.
    2. Confirm the order and complete the payment.
    3. Go back to the Certificate Management Service console and check whether the payment is complete.
    After the existing certificate is renewed, the renewed certificate appears below the existing certificate that is due to expire. The new icon appears on the left of the renewed certificate. The icon indicates that the renewed certificate is associated with the existing certificate.

    The renewed certificate is in the Pending Application state. You must submit a certificate application. After the certificate authority (CA) approves the certificate application, the CA issues the renewed certificate to you.

What to do next

After you renew a certificate, you must perform the following operations to ensure that the renewed certificate can be deployed to an Alibaba Cloud service or installed on a web server in a timely manner:

  1. Submit a certificate application for the renewed certificate.
    For more information, see Apply for a certificate.
  2. After the renewed certificate is issued, deploy the certificate to your Alibaba Cloud service or install the certificate on your web server.
    For more information, see Installation overview.
  3. After the certificate is deployed or installed, perform the following operations to check whether the renewed certificate takes effect:

    After the renewed certificate is installed on your web server, you can check whether the certificate takes effect by performing the following operations: Visit your website by using a web browser. Then, click the Security lock icon in the address bar of your browser. If the validity period of the renewed certificate appears, the renewed certificate takes effect.

    On a Linux server, you can also run the following command to view the validity period of the renewed certificate:
    echo | openssl s_client -servername www.yourdomain.com -connect www.yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates