Does renewing SSL certificate require re-issuing the cert?

Question

I have an SSL certificate that I am using to secure port 443 (HTTPS) on my nginx server running on Ubuntu for about 10 months now.

When I bought the cert, I got it for one year, so I have about 2 more months with this certificate. My question is: "When I renew this cert, Will I just need to pay for renewal? or will I have to re-issue the cert with a new CSR, and have a potential downtime while installing?

I need to plan for any downtime from now.

Thanks in advance for your answers.

Answer 1

It's not possible to extend the expiration of an existing certificate once issued. The only way is to issue a new certificate.

Most certificate authorities offers a "renewal" concept, which provides some advantages compared to a new purchase. For example, you can renew in advance to the certificate expiration, and they will issue the new certificate from the expiration of the previous one, and not from the day the new one is issued.

The re-issue or re-key is a different thing. It generally means re-keying an existing certificate order with a different private key and/or CSR. It generally doesn't change the expiration of the certificate, hence it's not a renewal. Both renews and rekeys result in a new certificate (again, it's not possible to change an existing certificate once issued), but the rekey only alters the certificate information and not the expiration.

A renewal can be issued with the same original CSR and key, or with a completely new one. It's up to you.

As in all cases a new certificate is issued, you will have to replace the existing one. Replacing a certificate is generally a no-downtime task. You simply upload the new one, change the server settings and reload them (or restart the server).

Most webservers including Nginx supports hot reloads, therefore you don't need to restart the server and wait for it to reboot.

If planned correctly, the renewal will be a no downtime task.