How to Renew Your SSL Certificate Without Downtime

Certificate renewal is a routine task that can go wrong at the last moment if you're not prepared. Here's the correct sequence to renew without taking your site offline.

Don't Wait Until It Expires

Start the renewal process at least 30 days before expiry — earlier if your organization requires change approval processes. The window matters less if you're using Let's Encrypt with automated renewal, but for commercial CAs like DigiCert or Sectigo, manual steps can take days.

Step 1: Generate a New CSR (Don't Reuse the Old One)

Generate a fresh private key and Certificate Signing Request (CSR) for the renewal. Never reuse an old private key — if it was ever exposed, you'd carry that risk forward. Include all required Subject Alternative Names in the CSR; if your domain list has changed, now is the time to update it.

Step 2: Submit to the CA and Complete Validation

Submit your CSR to the CA. For DV certificates, validation is typically automated via DNS or HTTP challenge. For OV or EV, expect a manual vetting process. The CA will issue the new certificate once validation passes.

Step 3: Verify Before Installing

Before touching your production server, decode the new certificate using the SSL Certificate Decoder and confirm:

• The correct domains are in the SAN list
• The certificate chain is complete
• The expiry date is correct
• The fingerprint matches what the CA provided

Step 4: Install on the Server

Install the new certificate and chain on your web server. Most servers (Nginx, Apache, HAProxy) can reload configuration without dropping active connections — use nginx -s reload or apachectl graceful rather than a full restart.

Step 5: Verify the Live Site

After installation, use your browser's certificate inspector or run openssl s_client -connect yourdomain.com:443 to confirm the new certificate is being served. Check that the chain is complete and no intermediate is missing.