Skip to main content

Renew a TLS/SSL certificate

TLS/SSL certificate renewal made easy

Notice

Industry standards change: End of 397-day maximum validity public TLS/SSL certificates

On February 24, 2026, DigiCert stopped  issuing 397-day public DV, OV, and EV TLS/SSL and Qualified Website Authentication Certificates (QWAC) and QWAC PSD2 certificates. The new maximum TLS certificate validity is 199 days.

You can still renew a certificate order as early as 90 days to one day before it expires. To learn more, see End of 397-day public TLS/SSL certificates.

Need to renew your DigiCert TLS/SSL certificate? Follow the steps in this instruction to renew your certificate. See Renewal FAQ for more information.

STEP 1: Generate CSR

To renew a TLS/SSL certificate, you need to generate a new CSR. For more information about creating a CSR, see our Create a CSR (Certificate Signing Request). Or, use our easy CSR generator in the free DigiCert Certificate Utility for Windows.

Best practice is to generate a new CSR when renewing your TLS/SSL certificate. This creates a new, unique keypair (public/private) for the renewed certificate.

STEP 2: Sign in to your CertCentral account

STEP 3: Fill out the renewal form

After you submit the renewal order, DigiCert will perform a quick cross-check. If your organization’s information was changed in the CSR, you may need to provide new documentation to verify the changes.

  1. In CertCentral, in the left main menu, go to Certificates > Expiring certificates.

  2. On the Expiring certificates page, next to the certificate that needs to be renewed, select Renew now.

Notice

A certificate doesn't appear on the Expiring Certificates page until 90 days before it expires.

STEP 4: DigiCert issues the TLS/SSL certificate

When we finish process the renewal request, we issue and send the renewed certificate to the certificate contact via email. You can also download the renewed certificate in your CertCentral account.

Step 5: Install your renewed TLS/SSL certificate

On the server, install and configure the new certificate. For more information about installing your certificate, see our SSL Certificate Installation Instructions & Tutorials.

Specific server instructions

The renewal process for some servers is slightly different than outlined in these instructions. Use these links to find instructions for a specific operating system or server.

We also recommend that you use the free DigiCert SSL Utility for Windows with an easy CSR generator.

Renewal FAQ

Q: Why do I need to install a new certificate if I'm just renewing my existing certificate?

A: Technically, when you renew a certificate, you’re buying a new certificate for the domain and company.

Industry standards require Certificate Authorities to hard-code the expiration date into certificates. When a certificate expires, it’s no longer valid and there’s no way to extend its life. When renewing your certificate, DigiCert must issue a new one to replace the expiring one, and you must install the new certificate on your server.

To make renewing a certificate easier, DigiCert automatically includes the information from the expiring certificate in our renewal wizard. However, because you're ordering a new certificate, you can update any of the information during the order process, if needed.

Note

If you change any of your organization’s information, you may need to provide new validation documentation to verify the changes. Change the organization information in the CSR.

Q: Do I need to create a new CSR when I renew my TLS/SSL certificate?

A: Yes. Best practices are to generate a new certificate signing request (CSR) when renewing your TLS/SSL certificate. Generating a new CSR creates a unique keypair (public/private) for the renewed certificate. See Create a CSR.

If you have a Windows server, you can use the free DigiCert Certificate Utility for Windows with an easy CSR generator.

In this section: