What you need to know about reissuing an SSL Certificate
Over the course of your SSL certificate's lifespan, it may be necessary for you to reissue it at some point. This can happen for a number of reasons:
- Your private key has been compromised
- You are adding/removing SAN's
- Industry updates
- Changing hashing algorithms
- Moving servers
The good news is that, outside of time, it probably won't cost you anything—most SSL certificates come with unlimited free reissuances for their entire lifespan.
What do you need before you start?
Before you re-issue your SSL Certificate, make sure that you have the appropriate CSR. For that, you may use either one of the following:
- Original CSR – this is the old CSR you used to issue the certificate previously (note: only do this if you still have access to the Private Key that was generated with that CSR).
- New CSR – create a new CSR using either an online tool or directly from your webserver (recommended – you can find instructions on how to generate a new CSR on your server here).
Note: If you generate a new CSR, make sure you save your Private key in a safe place. You will need it to install the re-validated certificate later.
Steps to Reissue
1. Log in to your account on CheapSSLSecurity.com
Click the “Log In” button on the top right and enter your e-mail address and password.
2. Go to “My Orders”
On the top-left of the Dashboard, select “My Orders”
3. Select the order that you want to reissue
Locate the order for the certificate you would like to reissue, and click the hyperlinked order number
4. Select “Re-Issue Certificate”
Scroll to the bottom of your order page and select “Re-Issue Certificate”
5. Paste in your CSR
Copy and paste your CSR into the area indicated below
6. Select Server Type, Signature Algorithm, and DCV
Server Type - If you don’t know the kind of server the certificate will be installed on, just select “Other.”
Signature Algorithm - The Signature Algorithm dictates whether your certificate chain will be fully SHA2 (FULL SHA-2) or SHA-2 with a SHA-1 root (SHA-2). Since most devices have adopted SHA-2 encryption, either selection should work for you.
Automated Authentication Option – (Note: not applicable for EV SSL Certificates)
E-mail Authentication - Selecting this option indicates that you will prove domain ownership via e-mail. A confirmation e-mail will be sent to the following email addresses:
- The email address listed on the whois for the domain in question
- admin@<domain.com>
- administrator@<domain.com>
- hostmaster@<domain.com>
- postmaster@<domain.com>
- webmaster@<domain.com>
File Based Authentication – Selecting this option indicates that you will upload a .txt file based on the hash values of your CSR to the root folder of your website. The file will be provided to you once you submit the reissue and you will need to upload it to the following path:
- https://><domain.com>/.well-known/pki-validation/<MD5hash>.txt
7. Review your details and submit
8. Re-validate
When you request a certificate be re-issued, the issuing certificate authority must go through the validation process again. The good news is that they were already able to complete this process for your order previously, so re-validation typically goes very quickly and smoothly. However, if you are reissuing a type of certificate that requires a final verification call (OV or EV), the CA will need to perform that call again. So keep an eye ear out, if you don’t receive the call within 24 hours, contact support.
After you complete the validation process and have received the reissued SSL Certificate, you can proceed to installing the new certificate. You can find instructions on installing SSL on different servers on our Installation page.