Reissue an SSL/TLS certificate

Industry standards are changing: End of 2-year public SSL/TLS certificates

On August 27, 2020, 5:59 PM MDT (23:59 UTC), DigiCert will stop issuing public DV, OV, and EV SSL/TLS certificates with a maximum validity greater than 397 days.

After the August 27 deadline, 2-year public SSL/TLS certificate reissues will have a max validity of 397 days. This means some reissued certificates will expire before the order expires.

To use the remaining validity included with the original certificate, reissue certificates during the order's final 397-day period. You may request reissues with a validity of up to 397 days or the expiration of the order, whichever is soonest. To learn more, see End of 2-year DV, OV, and EV public SSL/TLS certificates.

All DigiCert certificates come with unlimited free reissues. The list below includes some reasons for reissuing a certificate.

  • Lost the private key and want to re-key the certificate.
  • Need to change the common name on the certificate (for example, you want to remove example.com and add yourdomain.com).
  • Need to add, remove, or change some of the SANs listed in the certificate.

The certificate reissue process allows you to modify an issued certificate. Some modifications allow you to build upon the original certificate, resulting in two or more versions of that certificate. For example, when reissuing a certificate, you can add domains to the original certificate. Adding domains to a certificate doesn’t revoke the original certificate.

Other modifications allow you to create a new version of the certificate and require DigiCert to revoke the original certificate and any certificate reissues and duplicates. For example, removing SANs or changing SANs on a multi-domain certificate creates a new version of the certificate and revokes the original certificate and any previous reissues and duplicate copies.

Reissue certificate

To reissue your DigiCert SSL/TLS certificate, follow the steps below.

Step 1: Generate CSR

To reissue an SSL/TLS certificate, you’ll need to generate a new CSR. For more information about creating a CSR, see our Create a CSR (Certificate Signing Request) page.

Best practices are to generate a new certificate signing request (CSR) when reissuing your SSL/TLS certificate. Generating a new CSR creates a new, unique keypair (public/private) for the reissued certificate.

Step 2: Sign in to your account

Sign in to CertCentral.

Step 3: Fill out the reissue form

Fill out the certificate reissue request form and modify the certificate as needed.

In the sidebar menu, click Certificates > Orders. On the Orders page, click the Order # of the certificate that needs to be reissued. On the certificate's Order # details page, in the Certificate Actions dropdown, click Reissue Certificate.

Depending on the changes you make, the original certificate and previous versions (reissues and duplicates) may need to be revoked. However, if a change requires revocation, we will notify you before you submit the reissue request.

If certificate revocations are required, after reissuing your certificate, DigiCert waits 48 – 72 hours before revoking the original certificate and any existing duplicates and reissues.

(Source: CertCentral ressiue SSL certificate)

Step 4: Complete domain control validation (DCV)

If you added any new, unvalidated domains to the certificate reissue request (common name or SANs), you’ll need to demonstrate control over those domains before DigiCert can reissue the certificate. See Demonstrate control over domains on a pending certificate order.

Step 5: DigiCert reissues the SSL/TLS certificate

Once approved, we reissue and send the reissued certificate to the certificate contact in an email. You can also download the reissued certificate from your account. See Download a certificate from your account.

Step 6: Install your reissued SSL/TLS certificate

Install and configure the new certificate. For more information about installing your certificate, see our SSL Certificate Installation Instructions & Tutorials page.

If certificate revocations are required, you have 48 – 72 hours from the time your certificate is reissued to replace any soon-to-be revoked certificates.

Reissue FAQ

Q: Do I need to create a new CSR when I reissue my SSL/TLS certificate?

Answer: Best practices are to generate a new CSR.

Best practices are to generate a new certificate signing request (CSR) when reissuing your SSL/TLS certificate. Generating a new CSR creates a new, unique keypair (public/private) for the reissued certificate.

For more information, see Create a CSR. If you have a Windows server you can use the free DigiCert Certificate Utility for Windows which has an easy CSR generator for Windows servers.