Monitor your SSL certificate validity and renew before expiration to avoid service disruptions. Learn how to renew a Commercial Certificates and an Uploaded certificate.
The renewal procedures for commercial certificates and Individual Test Certificates described in this topic apply only to SSL Certificate Management (V1.0 Discontinued). This feature is not yet available in SSL Certificate Management V2.0. Stay tuned for future product updates.
Confirm your certificate type
Go to the SSL Certificate Management (V1.0 Discontinued) console. Identify your certificate type based on the tab where it appears (Commercial Certificates or Uploaded), and then follow the corresponding renewal procedure:
-
Commercial Certificates: See Renew a commercial certificate. This applies to commercial certificates with a status of About to Expire (within 15 days of expiration). If your certificate is Expired, you must purchase a new one.
-
Uploaded: See Renew an uploaded certificate.
Renew a commercial certificate
Starting February 25, 2026, the renewal option in SSL Certificate Management (V1.0 Discontinued) is available only within 15 days before expiration. Certificates that expire in more than 15 days do not have a renewal option. Notice on validity period changes of SSL certificates.
Renewal process
Renewal issues a new certificate instead of extending the existing one. The old certificate remains valid until expiration. The process works as follows:
-
Submit renewal and payment: Complete the renewal form and pay.
-
Submit the certificate request: Submit a request to the CA and complete domain ownership validation.
-
Deploy and verify the new certificate: Deploy the new certificate on your server or cloud service to replace the old one.
Prerequisites
-
Certificate status: The certificate status is About to Expire.
-
Certificate type: The certificate is not amulti-domain certificate.
-
Specification changes: You do not need to change the certificate brand or type.
If your certificate is Expired, is a multi-domain certificate, or if you need to change specifications, purchase a new commercial certificate and then create, apply for, and deploy it.
Validity period calculation for the new certificate
A renewed certificate carries over the old certificate's remaining validity, up to 15 days.
-
Calculation rule
-
Formula:
New certificate validity = Standard validity (180 days) + Remaining validity of the old certificate (up to 15 days). -
Expiration date: If you renew within 15 days before expiration, the new certificate expires 180 days after the old certificate's expiration date.
-
-
Example
Assume a certificate valid from October 1, 2025 to September 30, 2026, and the new certificate is issued on the same day the application is submitted.
-
Action date: You submit a renewal request and the certificate application on September 20, 2026.
-
New certificate validity: 6 months (180 days) + 10 days (remaining validity of the old certificate) = 190 days.
-
New certificate validity period: September 20, 2026 to March 29, 2027.
NoteThe Managed Service automatically submits the certificate application if the following conditions are met. Otherwise, submit it manually.
-
For DV certificates, the Alibaba Cloud account that uses Alibaba Cloud DNS for the domain name must be the same account that purchased the certificate, or the domain name must have validation-free authorization configured.
-
The certificate application information and materials are valid, as verified by the CA.
-
Step 1: Submit renewal and payment
-
Go to the SSL Certificate Management (V1.0 Discontinued) page. On the Commercial Certificates tab, find the target certificate, and in the Actions column, click Renewal purchase.
-
In the Certificate renewal panel, configure the following parameters.
-
CSR Generation:
A CSR contains the domain name, public key, and subject information, signed with your private key. We recommend Automatic.
Automatic
Generates a new key pair matching the old certificate's algorithm and creates a new CSR.
NoteFollows the key rotation security best practice.
Manual entry
Paste a CSR generated in your own environment into the CSR File field. Certificates issued with this option cannot be deployed to Alibaba Cloud services through the console. Create a CSR file.
Important-
Ensure your CSR's encryption algorithm matches the Encryption Algorithm of the old certificate. A mismatch prevents submission.
-
Store your private key securely. Alibaba Cloud does not store it. If lost, you must purchase a new SSL certificate.
Update with original key
Reuses the old certificate's key pair to generate a new CSR.
ImportantDoes not follow key rotation best practices and may not meet compliance requirements in some industries.
-
-
Domain Verification Method:
Defaults to the same validation method used for the old certificate.
-
Contact:
Depending on the domain validation method, the CA may email a certificate validation message to this contact or reach out by phone . Ensure the contact information is accurate and up to date.
-
Renewal Period:
The purchased service duration may require multiple certificates, each with a validity period subject to the certificate brand's policies. Notice on validity period changes of SSL certificates.
-
-
Click Renewal immediately and follow the on-screen instructions to complete the payment.
-
Payment rule: The system offsets the cost with your remaining certificate quota (matching this request's specifications) and Managed Service uses. You pay only the shortfall.
-
View remaining certificate quota and Managed Service uses: On the Commercial Certificates tab, click Create Certificate.
-
Remaining Managed Service uses: Find the Validity Period (Years) field. The number displayed after "Available Quota for Hosting Service:" is your current remaining quota.
-
Remaining certificate quota: After you select a Certificate Type, click the Certificate Specifications drop-down list. The "Number of available certificates" indicates the remaining quota for each specification.
-
-
-
After renewal, new certificates appear below the old one. The count depends on the single-certificate validity period (Notice on validity period changes of SSL certificates). New certificates are linked to the old one, indicated by an
icon on the left. The old certificate's validity remains unchanged. The first new certificate has a status of Pending Application, and the remaining certificates have a status of Not Activated.NoteThe Managed Service automatically submits the certificate application if the following conditions are met. Otherwise, submit it manually.
-
For DV certificates, the Alibaba Cloud account that uses Alibaba Cloud DNS for the domain name must be the same account that purchased the certificate, or the domain name must have validation-free authorization configured.
-
The certificate application information and materials are valid, as verified by the CA.
-
Step 2: Submit certificate request
After the renewal is complete, submit a request to the certification authority (CA) and complete domain ownership validation.
Step 3: Deploy and verify new certificate
-
Deploy the certificate.
Deploy the new certificate on your web server or cloud service. Select a deployment solution for an SSL certificate.
-
Verify the certificate.
-
In a browser such as Chrome, go to
https://<your domain name>. -
Click the
icon, and then click Connection is secure > Certificate is valid. -
In the certificate details, check General > Expires On. If the date matches the expiration date of the new certificate, the deployment was successful.
-
Renew an uploaded certificate
An uploaded certificate is managed in SSL Certificate Management V2.0. Renewal is equivalent to purchasing a new commercial certificate. The new certificate's validity starts from issuance and does not carry over the old certificate's remaining validity.
-
The Update button appears in the Actions column only when the Status is Pending Expiration and the certificate is not a PCA certificate.
-
If the Status is PCA (an SSL certificate created by the PCA service), you must issue a new PCA certificate and then sync it to SSL Certificate Management.
Step 1: Submit renewal and payment
-
On the Uploaded tab of the SSL Certificate Management V2.0 page, find your certificate.
-
In the Actions column, click Update to go to the purchase page.
-
Follow the same process as purchasing a commercial certificate. For more information, see Purchase a commercial certificate.
Step 2: Submit certificate request
After the renewal is complete, submit a request to the certification authority (CA) and complete domain ownership validation.
Step 3: Deploy and verify new certificate
-
Deploy the certificate.
Deploy the new certificate on your web server or cloud service. Select a deployment solution for an SSL certificate.
-
Verify the certificate.
-
In a browser such as Chrome, go to
https://<your domain name>. -
Click the
icon, and then click Connection is secure > Certificate is valid. -
In the certificate details, check General > Expires On. If the date matches the expiration date of the new certificate, the deployment was successful.
-
FAQ
Renewal basics
Difference between renewal and direct purchase
-
Commercial Certificates
The key difference is whether the new certificate carries over the old certificate's remaining validity.
-
Certificate renewal: A renewed certificate carries over the old certificate's remaining validity for a smooth transition. For more information, see Validity period calculation for the new certificate.
-
Direct purchase: Validity starts from issuance and does not include the old certificate's remaining validity. Any unused validity is lost.
-
-
Uploaded
For both renewal and direct purchase, validity starts from issuance without carrying over the old certificate's remaining validity. The difference is only in the console workflow.
Validity of multi-year certificates
-
Per CA/Browser Forum regulations, the maximum validity for a publicly trusted SSL certificate is 397 days, changing to 200 days starting February 25, 2026 (Notice on validity period changes of SSL certificates). A multi-year purchase or renewal therefore bundles multiple certificates with the Managed Service.
-
The Managed Service automatically requests the next certificate before expiration. If automatic submission fails, submit it manually: complete domain ownership validation (if required), pass the CA review, and redeploy the new certificate.
Renewal process issues
Missing renewal option
The renewal option in SSL Certificate Management (V1.0 Discontinued) appears only within 15 days of expiration.
Duplicate certificate records after renewal
Based on the service duration you selected, one or more new certificates appear below the old one. An
icon on the left indicates they are linked to the old certificate.
Post-renewal deployment issues
"Certificate expiring soon" warning after renewal
Renewal is a multi-step process. After paying, complete the application to get the new certificate issued (Submit a request to the certification authority (CA)). Once issued, deploy it to replace the old one (Select a deployment solution for an SSL certificate).
"Insecure" or "certificate expired" warning after renewal
Troubleshoot with the following steps:
-
Verify the deployed certificate file: Ensure the newly issued certificate file, not the old one, is deployed on your server.
-
Restart the web service: After replacing the certificate file on Nginx, Apache, Tomcat, IIS, or similar web servers, you must restart or reload the service for the new certificate to take effect.
-
Clear your browser cache: Your browser may have cached the old certificate. Try force-refreshing the page (Ctrl+F5), clearing the browser cache, or visiting the site in incognito or private mode.
-
Update certificates on intermediate services: If you use Content Delivery Network (CDN), Web Application Firewall (WAF), Global Accelerator (GA), or Server Load Balancer (SLB), you must also update the certificate in the console for each of these services. Otherwise, they continue to serve the old, expired certificate.
-
Verify the certificate chain is complete: Certificate files downloaded from Alibaba Cloud typically include the complete certificate chain. If you are assembling it manually, include the server certificate and all intermediate certificates.
Emergency procedure for expired certificates
Emergency steps for an expired certificate
If an expired certificate disrupts service, follow this procedure to restore service quickly. Replace the temporary certificate with your intended commercial certificate later.
-
Purchase a DV certificate: DV certificates have a simple validation process and are issued quickly, making them ideal as a temporary fix.
-
Request the certificate: Choose DNS validation to verify domain ownership quickly, often within 10 minutes.
NoteWhile waiting for issuance, locate the old certificate on your server so you are ready for replacement.
-
Deploy the certificate: Deploy the new certificate immediately to your web server (Nginx, Apache, etc.) or cloud service.
-
Replace with a commercial certificate: The DV certificate is temporary. After service is restored, request a certificate with your original specifications (OV, EV, etc.) and replace the DV certificate as soon as possible.
To prevent recurrence, enable SSL certificate message notifications and renew certificates before they expire. You can also purchase a the Managed Service. The Managed Service automatically submits a renewal request 30 days before a certificate expires.