Renewal · how-to

How to renew an SSL certificate.

Four working methods — Certbot, OpenSSL CSR, cert-manager, and full ACME automation — with tested commands for each.

Start free Talk to us
By MachineCert Engineering · Updated 2026-05-27

Quick answer

An SSL certificate is renewed by generating a new key pair, requesting a fresh certificate from a Certificate Authority before the existing one expires, and installing the new chain on every host that serves the original. The four common paths are Let’s Encrypt via Certbot, a commercial CA via OpenSSL CSR, ACME automation with cert-manager on Kubernetes, and platform-managed renewal across every CA at once.

Check the cert you’re about to renew
Our hosted scanner is coming soon. In the meantime, run a quick check with the free industry-standard tool:
Run a scan with SSL Labs
01 · Let’s Encrypt

Renew with Certbot.

Certbot is the reference Let’s Encrypt client. If Certbot issued the certificate, Certbot can renew it. On the host that owns the cert, run:

# Dry run first — verify the renewal will work without touching production.
sudo certbot renew --dry-run

# Real renewal. Certbot only renews certs within 30 days of expiry by default.
sudo certbot renew

# Reload your web server so the new chain is served.
sudo systemctl reload nginx   # or: apache2 / haproxy / traefik

Certbot installs a systemd timer (or cron job) on most distros, so renewal is already automatic. The two common failure modes are: the renewal hook didn’t reload the web server (cert is renewed on disk but the old one is still in memory), and the original challenge method stopped working (HTTP-01 broken by a firewall change, DNS-01 broken by expired API credentials). Test the dry run weekly if uptime is critical.

02 · Commercial CA

Renew with OpenSSL + a fresh CSR.

DigiCert, Sectigo, GlobalSign, Entrust, and most other commercial CAs renew via the same CSR-and-portal flow. Generate a new private key and CSR, submit the CSR to the CA, complete domain validation, then install the issued chain on every server.

# Generate a new 2048-bit RSA key + a CSR for your domain.
openssl req -new -newkey rsa:2048 -nodes \
  -keyout your.domain.key \
  -out your.domain.csr \
  -subj "/C=US/ST=California/L=San Francisco/O=Your Company/CN=your.domain.com"

# Verify the CSR before uploading.
openssl req -in your.domain.csr -noout -text | head -20

# Upload your.domain.csr to the CA portal, complete validation,
# then download your.domain.crt plus the intermediate chain.

# Assemble the full chain (leaf first, intermediates next).
cat your.domain.crt intermediate.crt > your.domain.fullchain.pem

# Install on every server that terminates TLS for this hostname.

Use ECDSA P-256 (-newkey ec -pkeyopt ec_paramgen_curve:P-256) for new certs unless legacy clients require RSA. Never reuse the old private key on renewal — generate a fresh key each time. The most common failure mode is forgetting to send the intermediate chain, which renders the certificate untrusted on mobile browsers even when desktop browsers look fine.

03 · Kubernetes

Automate renewal with cert-manager.

On Kubernetes, cert-manager removes manual renewal entirely. Define a ClusterIssuer for your CA (Let’s Encrypt, AWS PCA, internal CA, etc.), declare each certificate as a Certificate CRD, and cert-manager handles every rotation. Ingress controllers reload the renewed secret without a restart.

# 1. Install cert-manager (once per cluster).
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml

# 2. Define a ClusterIssuer for Let's Encrypt with HTTP-01 challenges.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ops@your.company
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      - http01:
          ingress:
            class: nginx

# 3. Declare a Certificate. cert-manager creates and rotates it automatically.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: api-your-domain
  namespace: production
spec:
  secretName: api-your-domain-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - api.your.domain.com

cert-manager renews 30 days before expiry by default. Watch for drift between the Certificate CRD desired state and the actual Secret on the cluster — if a Secret is edited out-of-band, cert-manager will keep reissuing on every reconcile loop until you align them.

04 · MachineCert

Or: automate it across every CA, every cloud.

Certbot handles Let’s Encrypt. cert-manager handles Kubernetes. Commercial CAs need their own portal. At 10,000 certificates across five clouds, three Kubernetes clusters, and two internal CAs, that's five renewal workflows instead of one. MachineCert connects to every CA you use — ACME, AWS PCA, DigiCert, Sectigo, internal PKI — and orchestrates renewal from one control plane. Risk scoring tells you which certs should renew automatically and which still need human approval.

Start freeRead the renewal-automation guide
Keep reading

Keep going

Topic

SSL certificate monitoring

Catch expiring certs before they cause an outage.

Read more
Topic

Certificate renewal automation

Multi-CA, multi-cloud renewal at scale.

Read more
Solution

47-day TLS readiness

Build for the new validity cadence.

Read more

Stop renewing
one cert at a time.

Start free Talk to sales
Free forever for up to 250 certificates · No credit card