How To Renew Expired SSL Certificates?

What is an SSL Certificate?

SSL stands for Secure Sockets Layer; it is the standard technology for keeping an internet connection secure and safeguarding sensitive data between two systems. The two systems can be servers to clients (for example, a shopping website and browser) or server to server (for example, an application with personally identifiable information or payroll information).

An SSL certificate is a certificate signed by a trusted CA. The CA uses their private key to sign the certificate, including who the certificate is issued to, the validation period, and the public key. Since the public key is attached to the certificate, it proves the legitimacy of the public key so that it can be used for further secure communication between the web server and the client.

When SSL version 3.0 was updated, instead of being called SSLv4.0, it was renamed TLSv1.0.

How to check if an SSL certificate is valid

An SSL certificate’s validity period is generally set to expire anywhere between one to three years. The validity period of the certificate entirely depends on criteria like the company policy and cost considerations.

There are multiple tools available to check the SSL certificate’s validity; in this article, we will see how you can check the certificate validity by yourself.

  • Option 1: This process is time-consuming.
    Run > certlm.msc > open Certificates Local Computer
    Go through the list of the certificates listed in the store to make sure only the legitimate ones are installed.
  • Option 2: Download the Windows sysinternals utility.
    Use the Windows Sysinternals utility called sigcheck > Download
    Once it is downloaded and installed > run the command sigcheck -tv
    Sigcheck downloads the trusted Microsoft root certificate list and provided outputs for only valid certificates.

Why does an SSL Certificate expire?

There has been a long debate and discussion going on regarding the question: Why do SSL certificates expire?  

There are various answers to this, however, the most essential and expected response is “Security.” A shorter life certificate helps mitigate compromises of keys, as new keys are generated every time you renew the certificate. It also ensures that all certificates are using the latest security standards. 

Some certificates last for a year or two, whereas others have expiry dates as low as 90 days. For many, these expiration dates can be a hassle. However, there are two reasons why limited-length certificates are necessary:

  1. Renewing your certificate validates your website’s identity.
  2. It makes sure the encryption you use is up to date, which keeps user’s data secure during transit.

Google has long argued the standard for SSL certificate expiration should be as short as one year. At one point, it was common for SSL certificates to last up to five years. It was a convenient approach, but not optimal from a security standpoint.

What happens when an SSL certificate Expires?

Now that you know why SSL certificates expire, you should also understand what happens when the SSL certificate expires. When you are using an expired SSL certificate, you risk your encryption and mutual authentication. The users and website both become vulnerable; it is easy for the hacker to misuse your website. 

For example, a user visits your website with an expired SSL certificate, and a warning sign will be displayed. Generally, there is an exclamation mark or a lock logo in google chrome with a message saying, “your connection is not private.” 

How to renew your SSL certificate?

The process of renewing an SSL certificate depends on what web host or Certificate Authority (CA) you are using. However, the big picture remains the same: you will generate a certificate signing request (CSR), activate the certificate, and install it. Let us talk about each step below:

Step 1: Generating a New CSR (Certificate signing request): 

This is the first step to renew a certificate. Generate a CSR from your web host, which validates the server’s identity. If you are using cPanel, you can navigate to the Security tab and look for SSL/TLS option > go to Certificate signing request (CSR) > generate a new CSR; below are the detailed steps: 

  • Log into your cPanel admin.
  • From the cPanel home page, go to the Security section, and then click SSL/TLS
    Under Certificate Signing Requests (CSR), click Generate, view, or delete SSL certificate signing requests.
  • Complete the fields in the Generate a New Certificate Signing Request (CSR) section.
  • At the bottom of the form, click the Generate button.
    On the new page, your CSR will display in the Encoded Certificate Signing Request section.
  • You will need to make a copy of the CSR to request an SSL certificate.

Step 2: Choose the right SSL certificate for your website:
In this step, you will select a certificate you think is suitable for your site. As we know, various certificates carry different validation levels.

Step 3: Validate your SSL certificate:
In this step, you need to confirm the ownership rights of your domain. There are three methods for domain control validation (DCV).

  • Email validation. With this method, you will renew your SSL certificate using an email associated with the domain in question.
  • HTTP validation. This validation process involves uploading a file to the server you want to install the certificate on.
  • DNS validation. Using CNAME records, you can validate your SSL certificate.

The most straightforward approach is email validation. You associate your email address with your domain and provide the same email address in the approver email field to complete the DCV. Once this is done, you will get a validation email within a few minutes.

Step 4: Install your new SSL certificate:
For this step, you can refer to your installation guide or contact the hosting provider for support. However, below is an example of how to install an SSL certificate:

  • Launch cPanel admin.
  • In the Security section, click SSL/TLS.
  • Under Certificates (CRT), click Generate, view, upload, or delete SSL certificates.
  • Use the Upload Certificate section to upload the primary certificate (.crt file with randomized name) from your local machine and click Upload Certificate.
  • On the new page, click Go Back.
  • Scroll down to the bottom of the SSL Certificates page and click Return to SSL Manager.
  • Under Install and Manage SSL for your site (HTTPS), click Manage SSL Sites.
  • Scroll down to the Install an SSL Website and click Browse Certificates.
  • Select the certificate that you want to activate and click Use Certificate. This will auto-fill the fields for the certificate.
  • Scroll down to the bottom of the page and click Install Certificate.
  • On the Successfully Installed pop up, click OK.

To learn more about SSL/TLS certificates, check out:

  1. https://www.encryptionconsulting.com/education-center/ssl-tls-certificates/#validity-check
  2. https://www.encryptionconsulting.com/why-to-fix-expired-ssl-certificates/

How do you keep track of your SSL certificate expiration date?

You will always want to avoid a morning when you wake up and see the SSL security warning on your website.

  • The quickest way to inspect your SSL certificate is directly from your browser by following the below steps:
    Go to your browser> Click the padlock next to the URL > Go to Certificate > Click on the general tab > check the certificate’s validity or the expiration date.
  • Another way to track the SSL certificate expiration date is to log into your SSL account and check the “next due date.” 

Conclusion

Maintaining a positive reputation for your brand and business is very important. Installing an SSL certificate and using HTTPS is a great start for securing your website. SSL certificates not only protect your information but also establish a positive mutual relationship with your customer.