Skip to main content
banner image
venafi logo

How Do Certificate Renewal, Reissue, and Revocation Processes Work?

How Do Certificate Renewal, Reissue, and Revocation Processes Work?

July 8, 2022 | David Bisson
A web owner’s control over a digital certificate begins when they purchase the machine identity from a Certificate Authority (CA). However, your jurisdiction doesn't end there. Once you have full authority over your certificates, it is up to you to maintain it. Understanding exactly how certificate renewal, certificate reissue, and certificate revocation works will empower you to maintain your network’s security, reliability, and reputation.
What if you could eliminate certificate outages forever? Learn about our No Outage Guarantee!
When is the best time to apply for a certificate renewal?

Certificate renewal is the process by which a user purchases a new certificate for the same public key used in an expiring certificate. While certificates used to be valid for up to three years, as of September 2020 all SSL certificates will have a maximum lifespan of 13 months. While many experts have expressed concern over this change, shorter certificate validity periods are actually a good thing for security.

The best time to apply for an SSL certificate renewal is within the last quarter of the current certificates’ lifecycle so there is plenty of time for the renewal to be processed. This will ensure there is no downtime between validity, avoiding a potentially costly outage and maintaining user trust of your website’s reliability.

How to request a certificate renewal in 4 easy steps:

  1. Generate a new certificate signing request (CSR) from your CA's hosting control panel
  2. Wait for the CA to process your request and complete identity verification steps within the same amount of time that's required to handle a new certificate's CSR, as long as the owner's domain, organization name, and other submitted pieces of information have not changed.
  3. The purchaser’s certificate contact will receive the new SSL certificate from the CA
  4. Install and configure your new SSL Certificate before removing their old electronic document.
What is an SSL Certificate Reissue?

A certificate reissue (sometimes referred to as re-keying) is when a user generates a new private key and CSR for an existing certificate. As explained by DNSimple, users might need to proceed with the reissuing process if they lose or delete their private key, if they want to change any of their certificate information, or if they want to change the certificate's encryption level. Upon completion, the reissuing process produces a new digital certificate.

What is Certificate Revocation and Why Is It Important?

Certificate revocation allows web owners to immediately invalidate an SSL certificate prior to its scheduled expiration. The most common reason for this is when a certificate's private key becomes unsafe, such as when a user shares the key on a public website or if hackers steal the key from a company's servers.

Revoking the certificate for such instances cancels the certificate, thereby removes the HTTPS connection from the owner's domain. At this point the owner will have to perform an SSL Certificate Reissue, as described above.

Organizations should maintain accurate and up-to-date certificate revocation lists, a list of all digital certificates that have been revoked by the issuing CA and should no longer be trusted.

Certificate management requires automation and visibility

Certificate management can be highly complex depending on the number of machine identities in your network. Maintaining an inventory of all digital certificates’ locations, what they do, and when they expire is a lot of work. The efforts needed to keep track of all certificate renewals, reissues, and revocation is even greater. In most cases, manual certificate management is simply not feasible. These processes are tedious, repetitive, time-consuming, and highly prone to human error.

In the case of certificate management, even one tiny mistake can be disastrous. All it takes is one expired certificate to expose yourself to costly cyber-attacks, impact revenue, and even damage your reliability and reputation.

To properly manage digital certificates, automation is the only solution that streamlines the renewal, reissue, and revocation processes for machine identities. The Venafi Trust Protection Platform, optimized for machine identity management, was built just for this task. Secure your network against bad actors and eliminate certificate-related outages with the No-Outages Guarantee. Users can initiate certificate renewals, request a certificate reissue, and revoke certificates from a single portal.

(This was originally posted on July 2, 2021. This blog has been updated.)

Related Posts

Like this blog? We think you will love this.
Featured Blog

What Is a Private Key?

How Are Private Keys Used?<

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more