Enabling HTTPS on your website is easy and straightforward and offers greater security to your website visitors and users. This is only possible if you obtain an SSL/TLS security certificate.
However, certificates expire periodically and need to be renewed to guarantee the connection between client and server and the safety of your users’ data.
Here’s what you need to know about the TLS certificate renewal process!
TLS Certificates Security Assessment
CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
What is an SSL/TLS certificate?
SSL and TLS certificates are digital server certificates issued by a Certificate Authority (CA) that guarantee that the certificate’s owner is who they claim to be, allowing users to trust a website. I.e., they enable clients to establish and verify the identity of a server/domain.
When issued by a CA, they are called trusted certificates. They enable websites to use the hypertext transfer protocol secure (HTTPS) via the Transport Layer Security (TLS) protocol and exchange information with users using a secure and encrypted connection.
A CA is an independent third-party organization entrusted with the right to issue such certificates after conducting several checks that vet and validate the party applying for one. After doing so, they issue the certificate backed by the CA’s so-called root certificate – the source of its authority.
When issued by the CA, an SSL/TLS certificate includes the following information:
- The domain name of the certificate holder
- The certificate authority that has issued the certificate
- The certificate authority’s digital signature that backs the certificate up
- The validity period of the certificate
- The public key of the certificate used to encrypt communication with it
- The SSL/TLS version of the certificate
Websites with valid certificates have a padlock icon, a green address bar, and an HTTPS prefix. This means they only use a secure connection.
There are many benefits to having a TLS certificate and using HTTPS. Using a trusted certificate means that users’ private data is protected by encryption and increases trust and user confidence that the domain is safe. A certificate can also be part of regulatory requirements for certain businesses, such as those dealing with highly sensitive personal and financial data. Finally, a certificate is also suitable for SEO purposes, as SSL/TLS protection is considered a factor in search rankings by significant search engines.
While it is acceptable to say SSL/TLS certificates, this is actually misleading. SSL has been deprecated for a while, and at this point, it is only recommended to use TLS certificates, particularly TLS versions 1.2 and 1.3. However, many legacy systems out there still use SSL protocols and older TLS protocols, regardless of the official recommendations.
Want to find out more about the TLS protocol works? See our guide on TLS security settings and how to enable TLS encryption. You can also look at our guide on how HTTPS and TLS protocols work together to better understand these protocols’ functions.
Why you need to renew your SSL/TLS certificate
Your SSL/TLS certificate can be valid for a maximum of 13 months or, to be exact, 397 days. The validity of certificates has been reduced over time with the intention of making websites and the whole public key infrastructure (PKI) more secure.
The limited validity of a certificate decreases the chances of someone stealing or misusing it for their purposes. For example, if a domain expires, but its certificate remains valid, someone might take it and use it for a website that has not been vetted and approved by a CA. This opens the door for attackers to create scam websites and other exploits to steal sensitive user information.
When a website’s certificate expires, visitors’ browsers will issue a warning that the website is not secured and could present a security risk. And in certain cases, browsers may outright block people from visiting sites that are considered a security risk due to expired or compromised certificates.
Therefore, its certificate needs to be renewed periodically for a website to remain secure.
How to check the validity of your TLS certificates
The simplest way to check the expiry date of your TLS certificate is to navigate to your website, click on the padlock icon, and check the security status of the website and its certificate’s validity.
However, since this is your certificate, you can also check the certificate store in the server environment, which will specify the validity of all installed certificates. If you are using a certificate manager tool, you can also use this to check the validity of your certificate.
You do not need to wait for the last day to renew your certificate. It is also possible to renew it before its expiry date. See the section below for more information about that.
Renewing TLS certificates
Certificates can be renewed up to 90 days prior to their expiration. If you renew your certificate 30 days before its expiration, the remaining days will carry over onto your new certificate.
Typically, renewing your certificate goes through the following four main steps. However, depending on your system and web hosting control panel backend or domain name server service, there may be some minor differences.
First, you will need to generate a certificate signing request (CSR) from the web host. This serves to validate the server’s identity and generate a CSR code which you will need to activate the certificate in the cPanel. You will need to provide the generated CSR code to activate the certificate. The third step is to validate once again your domain ownership via a validation email, HTTP validation, or DNS validation. Finally, you will need to install the new certificate file.
These are the general steps that you will usually need to pass to renew your certificate. However, depending on your certificates, your backend service, and your CA, there may be differences in the renewal process. Moreover, it may be possible for you to enable automatic renewal through your certificate management service. To renew your certificate in OpenSSL or Let’s Encrypt, use one of the following guides below:
To generate a certificate signing request for your certificate run:
openssl req -new -key ssl/certificate.key -out ssl/certificate_signing_request.csr
This assumes that your certificate to renew (including private key) is stored inssl/certificate.key. Then submit thecertificate_signing_request.csrto your certificate authority. They will use this request to sign your certificate and provide you with the signed certificate. If the signed certificate is returned to you asnew.crt, you can combine the key and the signed certificate as follows:
cp ssl/certificate.key ssl/new.pem cat ssl/new.crt >> ssl/new.pem
The resultingnew.pemfile can be copied to your webserver directory to be used in the web application.
If you are using Let’s Encrypt as your certificate authority, run the certbot renew command:
To enable manual renewal, add the renew command to your crontab by running Sudo crontab -e:
# m h dom mon dow command 0 0 * * 0 certbot renew
This will run the renew command once a week at midnight trying to renew all your certificates.
Why do I need to install a new certificate when renewing my current certificate?
Strictly speaking, you are not renewing your original certificate. You are obtaining an entirely new certificate. CAs hard code a certificate’s expiration date into it, meaning that once it expires, it is invalid. So while it is called renewal, it is an entirely new certificate.
Do I also need to renew my CSR when renewing my certificate?
Typically, a new certificate signing request (CSR) must be generated to obtain a new certificate. The latest CSR creates new public and private key pairs for the new certificate. This is why more frequent certificate renewals increase security – it reduces the time during which a specific pair of keys is used and can be compromised.
How long does it take to renew a TLS certificate?
The renewal duration is the same as when you initially applied for your certificate. This depends on the certificate you are renewing and the validation process it must undergo. The more complex and lengthy the validation process is, the longer it takes to issue a new certificate. Domain-validated (DV) certificates are usually issued immediately, organization-validated (OV) ones take up to three days, and extended-validated (EV) can take up to five days.
What happens if a TLS certificate expires?
Suppose you fail to renew your certificate on time. In that case, web browsers will display a “Not secure” message to visitors of your website, as well as other warnings about the security risks associated with using a website without a valid certificate.