All Products
Search

This Product

    Certificate Management Service:Renew an official SSL certificate

    Document Center

    Certificate Management Service:Renew an official SSL certificate

    Last Updated:Feb 20, 2025

    If the certificate of your website expires, the website becomes inaccessible, and other potential business risks may occur. We recommend that you pay attention to the validity period of your certificate and renew the certificate before it expires. After a certificate is renewed, the new certificate is independent of the original certificate. You must submit an application for the new certificate and install the new certificate after it is issued. This topic describes the limits and process of certificate renewal. This topic also describes the operations that you can perform after you renew a certificate.

    Limits

    • You cannot renew an expired certificate. You must purchase a new certificate. For more information, see Purchase a quota on SSL certificates.

    • You cannot renew an uploaded certificate.

    • You cannot modify the specifications of a new certificate. Renewing a certificate is equivalent to purchasing a new certificate. The specifications of the new certificate are the same as those of the original certificate, including Brand, Certificate Type, Domain Type, and Bound Domains.

    Carryover of the remaining validity period

    Carryover of the remaining validity period for a certificate refers to the operation that carries over the remaining validity period of the original certificate to the new certificate during renewal.

    If you renew an existing certificate, the remaining validity period of the original certificate is automatically carried over to the new certificate. For example, a certificate expires on August 1, 2024. If the certificate is renewed and the new certificate is issued on July 20, 2024, the validity period of the new certificate starts on July 20, 2024 and ends on August 1, 2025.

    If you purchase a new certificate for an existing certificate, the remaining validity period of the original certificate is not automatically carried over to the new certificate. To prevent validity period loss in this case, the CA allows you to manually carry over the remaining validity period to the new certificate, which can be up to 30 days.

    Procedure

    1. Log on to the Certificate Management Service console.

    2. In the left-side navigation pane, choose Certificate Management > SSL Certificate Management.

    3. On the SSL Certificate Management page, click the Official Certificate tab, and select Pending Expiration from the certificate status drop-down list.

    4. In the certificate list, find the certificate that you want to renew, click Renewal purchase in the Actions column, and then follow the instructions to complete the payment.

      The system automatically specifies the same parameter values for the new certificate as those of the certificate you want to renew. After the certificate is renewed, the new certificate is displayed below the original certificate that is about to expire. The new icon is displayed to the left of the new certificate. The icon indicates that the new certificate is associated with the original certificate. The validity period of the original certificate remains unchanged.

      The new certificate is in the Pending Application state. After you submit a certificate application for the new certificate and complete the verification of domain name ownership, the new certificate is issued. For more information, see Apply for a certificate and Step 3: Verify the ownership of a domain name.

      Note

      If Not Activated is displayed in the Status column for a new certificate, the new certificate is hosted. If the validity period of the original certificate is less than 30 days, the system submits an application for the new certificate. To prevent your business from being affected due to application failure, you must cooperate with the CA staff to complete the certificate application. If a certificate in the Not Activated state is canceled, the consumed certificate quota is returned.

    Verification

    After the new certificate is deployed, you can use the following methods to check whether the existing certificate is updated:

    • After you install the new certificate to your web server, you can access your website by using a browser and view the expiration date of your certificate. The following procedure uses Google Chrome as an example.

      1. Enter the domain name that is bound to your certificate in the address bar of your browser. 

        https://yourdomain   # Replace yourdomain with the domain name bound to your certificate.

      2. Click the image icon and click Connection is secure.

        image

      3. Click Certificate is valid. If the expiration date of the new certificate is displayed, your certificate is updated. image

    • You can also run the following command on a Linux server to view the expiration date of your certificate: 

      # In the following command, www.aliyundoc.com is used as an example. Replace www.aliyundoc.com with your domain name. 
echo | openssl s_client -servername www.aliyundoc.com -connect www.aliyundoc.com:443 2>/dev/null | openssl x509 -noout -dates

    References

    • For more information about how to install a certificate on a web application server and deploy a certificate to a cloud service, see Deploy SSL certificates.