Each SSL certificate has a validity period. The default validity period is one year.
You must renew a certificate before it expires. Otherwise, the certificate becomes
untrusted after it expires. The access requests to a website that uses the certificate
are affected. For example, a massage is displayed to indicate that a connection to
the website is not secure or the website cannot be accessed. This topic describes
how to renew a certificate in the Certificate Management Service console.
Remaining validity period of an existing certificate
The validity period of a renewed certificate starts from the expiration date of the
existing certificate. For example, an existing certificate expires on June 1, 2022.
If the certificate is renewed and the renewed certificate is issued at May 25, 2022,
the validity period of the renewed certificate is June 1, 2022 to June 1, 2023.
Notice In the following scenarios, the remaining validity period of the existing certificate
cannot be added to the validity period of the renewed certificate:
- The specifications of the renewed certificate are different from the specifications
of the existing certificate. The specifications include Domain Type, Certificate Type, and Certificate Specifications.
In this case, the renewed certificate is recognized as a newly purchased certificate.
As a result, the remaining validity period of the existing certificate cannot be added
to the validity period of the renewed certificate.
- The existing certificate is a third-party certificate that is uploaded.
Renew an Alibaba Cloud certificate
If your certificate is purchased and issued by using Certificate Management Service,
you can manually renew the certificate when it is in the Pending Expiration state. To renew a certificate, perform the following operations:
- Log on to the SSL Certificates Service console.
- On the Manage Certificates tab of the SSL Certificates page, click the certificate status drop-down list above the certificate list and select
Pending Expiration.
This operation displays all the certificates that meet the renewal conditions.
If the certificate list is empty after you perform this operation, you do not have
a certificate in the Pending Expiration state, and you do not need to renew a certificate.
- Find the certificate that you want to renew and click Renewal purchase in the Actions column.
- Complete the payment as prompted.
In the Certificate Renewal panel, the system automatically specifies the same values for the parameters as those
of the certificate you want to renew. You do not need to modify the configurations.
If you modify the configurations, the specifications of the renewed certificate are
different from the specifications of the existing certificate. After the renewed certificate
is issued, the remaining validity period of the existing certificate cannot be added
to the validity period of the renewed certificate.
- In the Certificate Renewal panel, click Buy Now.
- Confirm the order and complete the payment.
- Go back to the Certificate Management Service console and check whether the payment
is complete.
After the existing certificate is renewed, the renewed certificate appears below the
existing certificate that is due to expire. The
icon appears on the left of the renewed certificate. The icon indicates that the
renewed certificate is associated with the existing certificate.
The renewed certificate is in the Pending Application state. You must submit a certificate application. After the certificate authority
(CA) approves the certificate application, the CA issues the renewed certificate to
you.
Renew an uploaded third-party certificate
If your certificate is purchased and issued by using a third-party platform and is
uploaded to the Certificate Management Service console for centralized management,
you can perform the following operations to renew the certificate when it is due to
expire. For more information about how to upload a certificate, see Upload a certificate.
Notice When you renew an uploaded third-party certificate by using Certificate Management
Service, the validity period of the renewed certificate is one year starting from
the day when the renewed certificate is issued. Alibaba Cloud does not add the remaining
validity period of the existing certificate to the validity period of the renewed
certificate.
- Log on to the SSL Certificates Service console.
- On the SSL Certificates page, click the Manage Uploaded Certificates tab.
- On the Manage Uploaded Certificates tab, select Pending Expiration from the certificate status drop-down list above the certificate list.
This operation displays all the certificates that meet the renewal conditions.
If the certificate list is empty after you perform this operation, you do not have
a certificate in the Pending Expiration state, and you do not need to renew a certificate.
- Find the certificate that you want to renew and click Renewal purchase in the Actions column.
- Complete the payment as prompted.
- In the Renew panel, select a certificate whose specifications are the same as the existing certificate
and click Buy Now. The specifications include Domain Type, Certificate Type, and Certificate Specifications.
- Confirm the order and complete the payment.
- Go back to the Certificate Management Service console and check whether the payment
is complete.
After the existing certificate is renewed, the renewed certificate appears below the
existing certificate that is due to expire. The
icon appears on the left of the renewed certificate. The icon indicates that the
renewed certificate is associated with the existing certificate.The renewed certificate is in the Pending Application state. You must submit a certificate application. After the certificate authority
(CA) approves the certificate application, the CA issues the renewed certificate to
you.
What to do next
After you renew a certificate, you must perform the following operations to ensure
that the renewed certificate can be deployed to an Alibaba Cloud service or installed
on a web server in a timely manner:
- Submit a certificate application for the renewed certificate.
- After the renewed certificate is issued, deploy the certificate to your Alibaba Cloud
service or install the certificate on your web server.
- After the certificate is deployed or installed, perform the following operations to
check whether the renewed certificate takes effect:
After the renewed certificate is installed on your web server, you can check whether
the certificate takes effect by performing the following operations: Visit your website
by using a web browser. Then, click the
icon in the address bar of your browser. If the validity period of the renewed certificate
appears, the renewed certificate takes effect.
On a Linux server, you can also run the following command to view the validity period
of the renewed certificate:
# In the following command, the domain name is www.aliyundoc.com. You must replace www.aliyundoc.com with your actual domain name.
echo | openssl s_client -servername www.aliyundoc.com -connect www.aliyundoc.com:443 2>/dev/null | openssl x509 -noout -dates
What do I do if I cannot find the Renewal purchase button for a certificate that is
about to expire?
If you cannot find the Renewal purchase button in the
Actions column for a certificate that is in the
Pending Expiration state, the certificate has been renewed. The renewed certificate is marked

below the existing certificate.
Note You must submit a certificate application for the renewed certificate in a timely
manner to ensure that users can access your website. For more information about how
to apply for a certificate, see
Submit a certificate application.