Industry standards change: End of 2-year public SSL/TLS certificates
On August 27, 2020, 6:00 PM MDT (August 28 00:00 UTC), DigiCert stopped issuing public DV, OV, and EV SSL/TLS certificates with a maximum validity greater than 397 days.
Now, 2-year public SSL/TLS certificate reissues have a max validity of 397 days. This means some reissued certificates will expire before the order expires. To use the remaining validity included with the original certificate, reissue certificates during the order's final 397-day period.
To learn more, see End of 2-year DV, OV, and EV public SSL/TLS certificates.
All DigiCert certificates come with unlimited free reissues. The list below includes some reasons for reissuing a certificate:
The certificate reissue process allows you to modify an issued certificate. Some modifications allow you to build upon the original certificate, resulting in two or more versions of that certificate. For example, when reissuing a certificate, you can add domains to the original certificate. Adding domains to a certificate doesn’t revoke the original certificate.
Other modifications allow you to create a new version of the certificate and require DigiCert to revoke the original certificate and any certificate reissues and duplicates. For example, removing SANs or changing SANs on a multi-domain certificate creates a new version of the certificate, revoking the original certificate and any previous reissues and duplicate copies.
To reissue your DigiCert SSL/TLS certificate, follow the steps below.
To reissue an SSL/TLS certificate, you’ll need to generate a new CSR. For more information about creating a CSR, see our Create a CSR (Certificate Signing Request) page.
Best practices are to generate a new certificate signing request (CSR) when reissuing your SSL/TLS certificate. Generating a new CSR creates a new, unique keypair (public/private) for the reissued certificate.
Sign in to CertCentral.
Fill out the certificate reissue request form and modify the certificate as needed.
In the sidebar menu, click Certificates > Orders. On the Orders page, click the Order # of the certificate that needs to be reissued. On the certificate's Order # details page, in the Certificate Actions dropdown, click Reissue Certificate.
Depending on the changes you make, the original certificate and previous versions (reissues and duplicates) may need to be revoked. However, if a change requires revocation, we will notify you before you submit the reissue request.
If certificate revocations are required after reissuing your certificate, DigiCert waits 48 – 72 hours before revoking the original certificate and any existing duplicates and reissues.
If you added any new, unvalidated domains to the certificate reissue request (common name or SANs), you need to demonstrate control over those domains before DigiCert can reissue the certificate. See Demonstrate control over domains on a pending certificate order.
Once approved, we reissue and send the reissued certificate to the certificate contact in an email. You can also download the reissued certificate from your account. See Download a certificate from your account.
Install and configure the new certificate. For more information about installing your certificate, see our SSL Certificate Installation Instructions & Tutorials page.
If certificate revocations are required, you have 48 – 72 hours from the time your certificate is reissued to replace any soon-to-be revoked certificates.
Best practices are to generate a new certificate signing request (CSR) when reissuing your SSL/TLS certificate. Generating a new CSR creates a new, unique key pair (public/private) for the reissued certificate.