更新SSL证书是否需要重新颁发证书？

Question

I have an SSL certificate that I am using to secure port 443 (HTTPS) on my nginx server running on Ubuntu for about 10 months now.

When I bought the cert, I got it for one year, so I have about 2 more months with this certificate. My question is: "When I renew this cert, Will I just need to pay for renewal? or will I have to re-issue the cert with a new CSR, and have a potential downtime while installing?

I need to plan for any downtime from now.

Thanks in advance for your answers.

Answer 1

It's not possible to extend the expiration of an existing certificate once issued. The only way is to issue a new certificate.

Most certificate authorities offers a "renewal" concept, which provides some advantages compared to a new purchase. For example, you can renew in advance to the certificate expiration, and they will issue the new certificate from the expiration of the previous one, and not from the day the new one is issued.

The re-issue or re-key is a different thing. It generally means re-keying an existing certificate order with a different private key and/or CSR. It generally doesn't change the expiration of the certificate, hence it's not a renewal. Both renews and rekeys result in a new certificate (again, it's not possible to change an existing certificate once issued), but the rekey only alters the certificate information and not the expiration.

A renewal can be issued with the same original CSR and key, or with a completely new one. It's up to you.

As in all cases a new certificate is issued, you will have to replace the existing one. Replacing a certificate is generally a no-downtime task. You simply upload the new one, change the server settings and reload them (or restart the server).

Most webservers including Nginx supports hot reloads, therefore you don't need to restart the server and wait for it to reboot.

If planned correctly, the renewal will be a no downtime task.

Answer 2

To get the new one you might or might not need to submit a new CSR, depending on the CA. But in any case you get a new certificate file and need to replace the existing certificate on your server with a new one. See also https://www.digicert.com/ssl-certificate-renewal.htm

Answer 3

Renewal of SSL certificate keeps security on your website alive along with your verified identity. The lapse in renewal can cause a warning on your website and warns your customers to move away from your site.

It depends on the SSL provider that you should continue with old CSR or generate new CSR, but it is recommended to create a new one to get rid of misconfiguration. However, it is a myth that your server will face downtime in the renewal of SSL certificate.

Certificate renewal and re-issuance both are different terms. Certificate renewal happens after the expiry of a certificate, while certificate re-issuance in the case of lost of a private key, want to change the domain/organization name or add new SAN names.

Most certificate providers are sending renewal reminder email frequently before certificate expiry. So, It is advisable to renew your certificate earlier, you can take advantage of getting additional validity period from early renewals.

This article may help you to understand the certificate renewal process. https://www.ssl2buy.com/wiki/how-to-renew-ssl-certificate/

Answer 4

Shortly to answer, no renewing SSL Certificate does not require re-issuing the cert, simply because reissue and renewal are 2 different actions with SSL certificate.

As you explained your situation, you are left with 2 months with your existing certificate and after that it will expire, so a Renewal is required. A Reissue (Revoke & Replace) is quite different, in that you cancel your current, valid SSL/TLS Certificate due to any of the reason and request for a new one.

Reissue:

Reissue of Certificates is the process where certificate has to be regenerated with Certificate Authority if needed. For example, if you have lost your Private Key. For that CA views the details of your certificate from list of certificates they have and then reissue the Certificate.

Furthermore, the process is quite same like in similar way activation will take place, like pasting of CSR for same domain name, selecting & approving of email. Reissuing of certificate change its Certificate ID & a new certificate record is also added into the account.

Renewal:

On the other hand renewal of certificate may seems pretty much same as purchasing new certificate, but it's different. Renewal functionality is fully integrated within the module. If the settings of "Payment Type" is set to "Recurring" while creating a product, invoices for renewals will be generated automatically. Once paid, renewal of SSL certificates will be created automatically as well. Though one thing to note is that, after the renewal of SSL still activation is required through CSR.

Now one important thing is that, if you renew it before actual expiry date, like in your situation before 2 months, your new certificate will have expiration date one (or several, if you choose to be more than one year duration) year from the expiration date of the initial SSL certificate, so you will not lose any time on it.