By default, an SSL certificate is valid for one year. You must renew a certificate and install a new certificate on your website before the original certificate expires. Otherwise, users who access the website after the original certificate expires can receive a message indicating that the connection to the website is not secure or the website is inaccessible. This topic describes how to renew a certificate.

Background information

The following list describes the renewal scenarios:
  • If the remaining validity period of your certificate is less than 30 calendar days, the certificate is about to expire. You must renew the certificate in the Certificate Management Service console to ensure secure access to your website. For more information, see Certificates whose remaining validity period is less than 30 calendar days.
  • If the remaining validity period of your certificate exceeds 30 calendar days, you can renew the certificate in advance in the Certificate Management Service console. For more information, see Certificates whose remaining validity period exceeds 30 calendar days.
  • If your certificate has expired, you cannot renew the certificate. You must purchase a new certificate. The new certificate is valid for one year from the date when the certificate is issued. For more information about how to purchase a certificate, see Purchase an SSL certificate.
Important After a certificate is renewed, the new certificate is independent of the original certificate. You must submit an application for the new certificate and install the new certificate after it is issued.

Certificates whose remaining validity period is less than 30 calendar days

Scenarios

When you renew a certificate that is about to expire, make sure that the following requirements are met:
  • The remaining validity period of the certificate is less than 30 calendar days. The Renewal purchase button for a certificate is available only within 30 calendar days before the certificate expires.
  • The original certificate is issued by GlobalSign.

Remaining validity period

In the following scenarios, the remaining validity period of a certificate that you renew cannot be carried over to the new certificate. The validity period of the new certificate is one year starting from the day when the certificate is issued. For example, if the new certificate is issued on July 20, 2022, its validity period starts from July 20, 2022 and ends on July 20, 2023.
  • The specifications of the new certificate are different from the specifications of the original certificate. The specifications include Domain Type, Certificate Category, and Select Brand.
  • The original certificate is a third-party certificate that is uploaded.

In other scenarios, the remaining validity period of a certificate that you renew can be carried over to the new certificate. After you renew a certificate, the expiration time of the new certificate is one year later than the expiration time of the original certificate. For example, a certificate expires on August 1, 2022. If the certificate is renewed and the new certificate is issued on July 20, 2022, the validity period of the new certificate starts from July 20, 2022 and ends on August 1, 2023.

Procedure

  1. Log on to the Certificate Management Service console.
  2. On the SSL Certificates page, click the Manage Certificates or Manage Uploaded Certificates tab, and select Pending Expiration from the certificate status drop-down list.
    • Manage Certificates tab: displays the certificates that you purchase by using Certificate Management Service.
    • Manage Uploaded Certificates tab: displays the third-party certificates that you manage by using Certificate Management Service.
      Important When you renew an uploaded third-party certificate by using Certificate Management Service, the validity period of the new certificate is one year starting from the day when the new certificate is issued. Alibaba Cloud does not carry over the remaining validity period of the original certificate to the new certificate.
  3. In the certificate list, find the certificate that you want to renew and click Renew in the Actions column.
  4. Follow the instructions in the Certificate Renewal panel to complete the payment.
    In the Certificate Renewal panel, the system automatically specifies the same values for the parameters as those of the certificate you want to renew. You do not need to modify the configurations.
    After the certificate is renewed, the new certificate appears below the original certificate that is about to expire. The new icon appears to the left of the new certificate. The icon indicates that the new certificate is associated with the original certificate. The validity period of the original certificate is not changed.

    The new certificate is in the Pending Application state. You must submit a certificate application for the new certificate, and cooperate with the certificate authority (CA) staff to complete the verification of domain name ownership and the review of application materials. After the CA approves the certificate application, the CA issues the new certificate to you. For more information, see Submit a certificate application.

    Note If Not Activated is displayed in the Status column for a new certificate after the associated original certificate is renewed, the new certificate is not activated. If the validity period of the original certificate is less than 30 days, the system submits an application for the new certificate. To prevent your business from being affected due to an application failure, you must cooperate with the CA staff to complete the certificate application.

    If a certificate in the Not Activated state is canceled, the consumed certificate quota is returned.

What to do next

After you renew a certificate, you must perform the following operations to ensure that the new certificate can be deployed to an Alibaba Cloud service or installed on a web server in a timely manner:

  1. Submit a certificate application for the new certificate. For more information, see Submit a certificate application.
  2. After the new certificate is issued, deploy the certificate to your Alibaba Cloud service or install the certificate on your web server.
    For more information, see Installation overview.
  3. After the certificate is deployed or installed, perform the following operations to check whether the new certificate takes effect:

    After the new certificate is installed on your web server, you can check whether the certificate takes effect by performing the following operations: Visit your website by using a web browser. Then, click the Security lock icon in the address bar of your browser. If the validity period of the new certificate appears, the new certificate takes effect.

    On a Linux server, you can also run the following command to view the validity period of the new certificate:
    # In the following command, the domain name is www.aliyundoc.com. You must replace www.aliyundoc.com with your actual domain name. 
    echo | openssl s_client -servername www.aliyundoc.com -connect www.aliyundoc.com:443 2>/dev/null | openssl x509 -noout -dates 

Certificates whose remaining validity period exceeds 30 calendar days

If the remaining validity period of a certificate exceeds 30 calendar days, you can renew the certificate in advance. This helps ensure that the certificate is renewed in a timely manner if you forget to renew the certificate.

  1. Log on to the Certificate Management Service console.
  2. On the SSL Certificates page, click the tab on which the required certificate is displayed.
    • Manage Certificates tab: displays the certificates that you purchase by using Certificate Management Service. In the certificate list, find the certificate that you want to renew and choose Icon > Renew in the Actions column.
    • Manage Uploaded Certificates tab: displays the third-party certificates that you manage by using Certificate Management Service. In the certificate list, find the certificate that you want to renew and click Renew in the Actions column.
  3. In the Renew (Hosting-based) dialog box, click Buy Now.
    Important If your certificate quota is sufficient, the quota is consumed for renewal.

References