Skip to main content

Reissue an SSL/TLS certificate

All DigiCert certificates come with unlimited free reissues. The list below includes some reasons for reissuing a certificate:

  • Lost the private key and want to re-key the certificate.

  • Change the common name on the certificate (for example, you want to remove and add yourdomain).

  • Add, remove, or change some of the subject alternative names (SANs) listed in the certificate.

The certificate reissue process allows you to modify an issued certificate. Some modifications enable you to build upon the original certificate, resulting in two or more versions of that certificate. For example, when reissuing a certificate, you can add domains to the original certificate. Adding domains to a certificate doesn’t revoke the original certificate.

Other modifications allow you to create a new version of the certificate and require DigiCert to revoke the original certificate and any existing certificate reissues and duplicates. For example, removing SANs or changing SANs on a multi-domain certificate creates a new version of the certificate, revoking the original certificate and any previous reissues and duplicate copies.

Reissue certificate

Step 1: Generate CSR

To reissue an SSL/TLS certificate, you’ll need to generate a new CSR. For more information about creating a CSR, see Create a CSR (Certificate Signing Request).


Best practices are to generate a new certificate signing request (CSR) when reissuing your SSL/TLS certificate. Generating a new CSR creates a new, unique keypair (public/private) for the reissued certificate.

Step 2: Sign in to your CertCentral account

Sign in to your account

Step 3: Fill out the SSL/TLS certificate reissue request form

Fill out the certificate reissue request form and modify the certificate details as needed.

  1. In the left main menu, go to Certificates > Orders.

  2. On the Orders page, select the Order # of the certificate you need to reissue.

  3. On the certificate's Order # details page, in the Certificate actions dropdown, select Reissue certificate.

Depending on your changes, the original certificate and previous versions (reissues and duplicates) may need to be revoked. However, before you submit the reissue request, we warn you if a change requires revocation.


If certificate revocations are required after reissuing your certificate, DigiCert revokes the original certificate and any existing duplicates and reissues within 72 hours.

We also do the following:

  • Send the requestor a revocation warning email with the subject line: Reissue request will revoke previously issued certificate for order ###### within 72 hours.

  • Change the Certificate status to Revocation pending with the revocation date and time on the Certificate history page.


Step 4: Complete domain control validation (DCV)

If you have any unvalidated domains on the certificate reissue request (common name or SANs), you must demonstrate control over those domains before DigiCert can reissue the certificate. See Demonstrate control over domains on a pending certificate order.

Step 5: Complete organization validation

If the organization validation has expired, DigiCert must complete the organization validation before we can reissue the certificate. See SSL/TLS certificate organization validation process.

Step 6: DigiCert reissues the SSL/TLS certificate

Once approved, we reissue and email the new certificate to the certificate contact. You can also download the reissued certificate from your account. See Download a TLS/SSL certificate from your CertCentral account.

Step 7: Install your reissued SSL/TLS certificate

Install and configure the new certificate. For more information about installing your certificate, see our SSL Certificate Installation Instructions & Tutorials page.


Pending certificate revocations

If certificate revocations are required, replace soon-to-be revoked certificates within 72 hours from when your certificate is reissued.

Reissue FAQ

Question: Do I need to create a new CSR when I reissue my SSL/TLS certificate?

Answer: Yes. Best practices are to generate a new certificate signing request (CSR) when reissuing your SSL/TLS certificate. Generating a new CSR creates a new, unique key pair (public/private) for the reissued certificate. For more information, see Create a CSR.

If you have a Windows server, you can use the free DigiCert Certificate Utility for Windows , which has an easy CSR generator for Windows servers.