There’s no downside to renewing early—you can even carry over remaining time
Let’s talk about SSL renewals. I mean, this seems like an appropriate topic given that you’re on SSLRenewals.com.
We get a lot of questions about renewals. Stuff like why do SSL certificates expire? Why should I renew early? And what happens if my certificate does expire?
Those are all good questions. Let’s answer all three of them.
Why Do SSL Certificates Expire?
Let’s start with looking at why you need to renew SSL at all. It’s a valid question and probably the one we get asked most frequently. No, this isn’t part of some scam to keep you paying. If the Certificate Authorities (CAs) that issue SSL wanted to keep you paying then SSL would become a monthly service and you’d be paying every month, anyway.
No, expiration actually has very little to do with economics. It comes down to two things, really. One is proliferation of new technology and upgrades and the other stems from the need to keep up to date information for validation purposes.
As far as proliferating new technology and upgrades, it makes a lot of sense that in order to keep customers up to date with most secure hashing algorithms and encryption strengths possible that you would occasionally need to upgrade. Unfortunately, if certificates didn’t expire many people never would. This would make the entire internet less safe and undermine people’s faith in encryption. By making sure certificates expire at least every three years – a number that will likely be reduced in the next year or so – you can ensure that everyone is keeping their implementations at least somewhat up to date. In just the past years the SSL industry has deprecated SHA-1, that wouldn’t be possible without certificate expiration.
The other reason is just as practical. As with any other form of identification, you occasionally have to check in to provide up to date identifying information. Driver’s licenses expire, passports expire—it’s normal. Thought SSL is typically discussed in terms of the encryption it provides, it serves a second, less-advertised function: authentication. SSL certificates display identifying information about the proprietor of the website you’re visiting. In order for CAs to continue to supply this identifying information they need to occasionally verify that it’s still accurate. Hence, expiration.
Why Should I Renew My SSL Certificate Before it Expires?
You can renew your certificate up to three months before it expires. But should you?
For one, you have nothing to lose by renewing early. A lot of people mistakenly think that if they renew early they’ll lose time off their previous certificate. That’s wrong—you can carry up to three months over to your new certificate. That’s right, the new certificate will be valid for 12, 24 or 36 months, plus whatever time you had remaining on your last certificate. That means you could have up to 39 months of validity for DV and OV certificates and 27 for EV certs.
Beyond that, certificate expiration just isn’t something you want to mess around with. The longer you wait, the greater your risk of exposure becomes. Keep in mind, “renew” is a bit of misnomer, you’re still buying a new SSL certificate, you’re just taking advantage of your old validation information to speed up the process. That being said, it may still take a day or two to issue your new SSL certificate so if you wait until the day before it expires you might be in trouble.
Don’t wait, as soon as you receive notification about renewing just go ahead and do it. You have nothing to lose by doing it early, but plenty to lose by waiting.
What Happens If My SSL Certificate Expires?
No, just kidding. Though it can be catastrophic. If your certificate expires your website’s visitors will be greeted with a warning that says your certificate has expired—it’s right in their face. It would be like if you walked into a restaurant and before you even get to the hostess someone hands you a large note informing you that this place hasn’t paid rent on time. It’s not a good look. Your website will also receive a “Not Secure” visual warning in the address bar. And of course, your connections will no longer be secure.
Not to mention you’ll have to go through the entire validation process again, as opposed to being able to skip a few steps.
Look, renewing really shouldn’t be a hassle. Just take care of it early on and you’ll have nothing to worry about. Like we’ve said, there’s nothing to lose by renewing early, but plenty to lose if you wait.