I have an SSL certificate that I am using to secure port 443 (HTTPS) on my nginx server running on Ubuntu for about 10 months now.
When I bought the cert, I got it for one year, so I have about 2 more months with this certificate. My question is: "When I renew this cert, Will I just need to pay for renewal? or will I have to re-issue the cert with a new CSR, and have a potential downtime while installing?
I need to plan for any downtime from now.
Thanks in advance for your answers.
SSL renewal keeps your encryption up to date, which makes everyone safer. SSL certificates have expiration dates hardcoded into them. When they expire, web browsers will warn their users about your website. The reason SSL certificates expire is to keep your encryption up to date.
Yes, they will revoke the old certificate.
When your current certificate is about to expire, a Renewal is required. A Revoke & Replace (Reissue) is when you cancel a current, valid certificate and request a new one.
Answer: Yes.Best practices are to generate a new certificate signing request (CSR) when renewing your SSL/TLS certificate. Generating a new CSR creates a new unique keypair (public/private) for the renewed certificate.
It's not possible to extend the expiration of an existing certificate once issued. The only way is to issue a new certificate.
Most certificate authorities offers a "renewal" concept, which provides some advantages compared to a new purchase. For example, you can renew in advance to the certificate expiration, and they will issue the new certificate from the expiration of the previous one, and not from the day the new one is issued.
The re-issue or re-key is a different thing. It generally means re-keying an existing certificate order with a different private key and/or CSR. It generally doesn't change the expiration of the certificate, hence it's not a renewal. Both renews and rekeys result in a new certificate (again, it's not possible to change an existing certificate once issued), but the rekey only alters the certificate information and not the expiration.
A renewal can be issued with the same original CSR and key, or with a completely new one. It's up to you.
As in all cases a new certificate is issued, you will have to replace the existing one. Replacing a certificate is generally a no-downtime task. You simply upload the new one, change the server settings and reload them (or restart the server).
Most webservers including Nginx supports hot reloads, therefore you don't need to restart the server and wait for it to reboot.
If planned correctly, the renewal will be a no downtime task.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With