Reissuing an SSL Certificate
Reissuing an SSL certificate means generating a new certificate using the same order/subscription. This replaces the existing certificate without additional cost and is useful when you need to update your server configuration or recover from a security incident.
When Should You Reissue?
Common reasons to reissue an SSL certificate:
- Server migration: Moving your website to a new server that requires a new private key
- Private key compromise: If your private key has been exposed or you suspect it was compromised
- CSR change: Changing the server software (e.g., from Apache to Nginx) may require a new CSR
- Lost private key: If you cannot locate the original private key used during CSR generation
- Adding SANs: Adding additional domain names to a multi-domain certificate
- Key rotation: Security best practice of periodically rotating cryptographic keys
- Server reinstall: After rebuilding or reinstalling your web server
Tip: Reissuing is free and does not change your certificates expiration date. The reissued certificate retains the same validity period as the original.
Step-by-Step Reissue Process
Step 1: Generate a New CSR
You must generate a fresh CSR (Certificate Signing Request) on your server before reissuing.
In cPanel:
- Go to Security > SSL/TLS
- Click Generate, view, or delete SSL certificate signing requests
- Enter your domain and organization details
- Click Generate and copy the CSR
Via command line:
openssl req -new -newkey rsa:2048 -nodes -keyout new-server.key -out new-server.csrSave the new private key (new-server.key) securely — you will need it for installation.
Step 2: Request Reissue
- Log in to your {{COMPANY_NAME}} client portal at {{SUPPORT_URL}}
- Navigate to Services > My Services
- Click on your SSL certificate service
- Click Reissue or Rekey Certificate
- Paste your new CSR into the provided field
- Select your web server type
- Click Submit
Step 3: Complete Domain Validation
Domain validation is required again for the reissued certificate:
- Email validation: Approve via email sent to admin/postmaster/webmaster address
- DNS validation: Add or update the CNAME/TXT record
- HTTP validation: Upload the verification file to your server
Step 4: Install the Reissued Certificate
Once validation is complete and the new certificate is issued:
- Download the new certificate files
- Install on your server, replacing the old certificate
- Use the new private key generated in Step 1
- Include the CA bundle/intermediate certificates
- Restart your web server (Apache, Nginx, etc.)
- Test the installation using an online SSL checker
Tip: The old certificate is automatically revoked shortly after the reissued certificate is installed. Plan the switch during a low-traffic period to minimize any brief disruption.
What Happens to the Old Certificate?
After a reissue:
- The old certificate is typically revoked within 24-72 hours
- The old private key should be securely deleted
- Any server still using the old certificate will show security warnings once it is revoked
- If you have multiple servers, update all of them with the new certificate
Reissue vs. Renewal
| Aspect | Reissue | Renewal |
|---|---|---|
| Cost | Free | Renewal fee applies |
| New certificate | Yes | Yes |
| Expiration date | Same as original | Extended by new term |
| New CSR required | Yes | Yes (recommended) |
| Validation required | Yes | Yes |
| When to use | Key change, server migration | Certificate approaching expiry |
Troubleshooting
- Reissue option not available: Some certificate types or CAs may have limitations. Contact support for assistance.
- Validation failing after reissue: Ensure the domain still points to a server you control and that validation records/emails are accessible.
- Old certificate still showing: Clear your browser cache and restart the web server. Use an incognito window to verify the new certificate is served.
- Certificate chain errors: Ensure you installed the intermediate/CA bundle certificates along with the new certificate. Missing intermediates cause trust errors.
- Private key mismatch: The private key must match the CSR used for the reissue. If you lost the key, generate a new CSR and reissue again.
Related Articles
Need help reissuing your SSL certificate? Contact {{COMPANY_NAME}} support at {{SUPPORT_EMAIL}} or open a ticket at {{SUPPORT_URL}}.