Reissue an SSL/TLS certificate
Important
Industry standards change: End of 2-year public SSL/TLS certificates
On August 27, 2020, 6:00 PM MDT (August 28 00:00 UTC), DigiCert stopped issuing public DV, OV, and EV SSL/TLS certificates with a maximum validity greater than 397 days.
Now, 2-year public SSL/TLS certificate reissues have a max validity of 397 days. This means some reissued certificates will expire before the order expires. To use the remaining validity included with the original certificate, reissue certificates during the order's final 397-day period.
To learn more, see End of 2-year DV, OV, and EV public SSL/TLS certificates.
All DigiCert certificates come with unlimited free reissues. The list below includes some reasons for reissuing a certificate:
You lost the private key and want to re-key the certificate.
You need to change the common name on the certificate (for example, you want to remove example.com and add yourdomain.com).
You need to add, remove, or change some of the SANs listed in the certificate.
The certificate reissue process allows you to modify an issued certificate. Some modifications allow you to build upon the original certificate, resulting in two or more versions of that certificate. For example, when reissuing a certificate, you can add domains to the original certificate. Adding domains to a certificate doesn’t revoke the original certificate.
Other modifications allow you to create a new version of the certificate and require DigiCert to revoke the original certificate and any certificate reissues and duplicates. For example, removing SANs or changing SANs on a multi-domain certificate creates a new version of the certificate, revoking the original certificate and any previous reissues and duplicate copies.
Reissue certificate
To reissue your DigiCert SSL/TLS certificate, follow the steps below.
Step 1: Generate CSR
To reissue an SSL/TLS certificate, you’ll need to generate a new CSR. For more information about creating a CSR, see our Create a CSR (Certificate Signing Request) page.
Important
Best practices are to generate a new certificate signing request (CSR) when reissuing your SSL/TLS certificate. Generating a new CSR creates a new, unique keypair (public/private) for the reissued certificate.
Step 2: Sign in to your account
Sign in to CertCentral.
Step 3: Fill out the reissue form
Fill out the certificate reissue request form and modify the certificate as needed.
In the sidebar menu, click Certificates > Orders. On the Orders page, click the Order # of the certificate that needs to be reissued. On the certificate's Order # details page, in the Certificate Actions dropdown, click Reissue Certificate.
Depending on the changes you make, the original certificate and previous versions (reissues and duplicates) may need to be revoked. However, if a change requires revocation, we will notify you before you submit the reissue request.
Important
If certificate revocations are required after reissuing your certificate, DigiCert waits 48 – 72 hours before revoking the original certificate and any existing duplicates and reissues.
CertCentral reissue SSL certificate
Step 4: Complete domain control validation (DCV)
If you added any new, unvalidated domains to the certificate reissue request (common name or SANs), you need to demonstrate control over those domains before DigiCert can reissue the certificate. See Demonstrate control over domains on a pending certificate order.
Step 5: DigiCert reissues the SSL/TLS certificate
Once approved, we reissue and send the reissued certificate to the certificate contact in an email. You can also download the reissued certificate from your account. See Download a TLS/SSL certificate from your CertCentral account.
Step 6: Install your reissued SSL/TLS certificate
Install and configure the new certificate. For more information about installing your certificate, see our SSL Certificate Installation Instructions & Tutorials page.
Warning
If certificate revocations are required, you have 48 – 72 hours from the time your certificate is reissued to replace any soon-to-be revoked certificates.
Reissue FAQ
Question: Do I need to create a new CSR when I reissue my SSL/TLS certificate?
Answer: Yes. Best practices are to generate a new CSR. Best practices are to generate a new certificate signing request (CSR) when reissuing your SSL/TLS certificate. Generating a new CSR creates a new, unique key pair (public/private) for the reissued certificate.
For more information, see Create a CSR. If you have a Windows server, you can use the free DigiCert Certificate Utility for Windows which has an easy CSR generator for Windows servers.