Updated on 2024-12-13 GMT+08:00

Reissuing an SSL Certificate

Reissuing an SSL certificate is a process in which a user needs to obtain a new certificate to replace the original certificate when the SSL certificate is still valid. Generally, you need to re-issue the SSL certificate in the following scenarios:

  • Key leakage or loss: If the key of a website is disclosed or lost, you are advised to issue a new SSL certificate to ensure website security.
  • Changing the domain name: If the domain name of a website is changed, the original SSL certificate is no longer applicable. You need to issue a new SSL certificate to match the new domain name.
  • Incorrect certificate configuration: If the configuration information (for example, the domain name or organization information) is incorrect when you apply for an SSL certificate, you need to re-issue the SSL certificate.

Prerequisites

  • The certificate is in the Issued state.
  • The certificate is a single-domain or wildcard-domain certificate.

Constraints

  • Free certificates, multi-domain certificates, and revoked certificates cannot be reissued.
  • An issued certificate can be reissued within a specified period. The period varies depending on domain type and CAs. The following describes the period given by some CAs:
    • DigiCert and GeoTrust: 25 days.
  • There is no limit on how many times you can apply for reissues of a single-domain or wildcard-domain certificate only when the reissue is requested within the specified period. This period varies depending on CAs.

Procedure

  1. Log in to the management console.
  2. Click in the upper left corner of the page and choose Security & Compliance > Cloud Certificate Management Service. The service console is displayed.
  3. In the navigation pane on the left, choose SSL Certificate Manager > SSL Certificates.
  4. In the Operation column of the target certificate, choose More > Reissue, as shown in the Figure 1.

    Figure 1 Reissuing an SSL certificate

    If the reissue button disappears or the reissue failed, check the following items:

    • Certificate status. The certificate you want to reissue must have been issued. If the certificate is not issued, it cannot be reissued.
    • Certificate type. Free certificates and multi-domain certificates cannot be reissued.
    • Certificate CA. If your certificate was issued by GlobalSign, a reissue can only be initiated within 5 days after the certificate was issued.
    • Certificate CA. If your certificate was issued by DigiCert, GeoTrust, CFCA, TrustAsia, or vTrus, a reissue can only be initiated within 25 days after the certificate was issued.

  5. To change the domain name for a certificate, perform operations by referring to Table 1. You can also modify the company contact or authorizer information.

    Figure 2 Reissuing a certificate
    Table 1 Domain name parameters

    Parameter

    Description

    Example Value

    CSR

    To obtain an SSL certificate, a Certificate Signing Request (CSR) file needs to be submitted to the CA for review. A CSR contains a public key and a distinguished name (DN). Typically, a CSR is generated by a web server. A pair of public and private keys are created along with the CSR.

    Options:
    • System generated CSR: The system automatically generates a certificate private key. Once the certificate is issued, you can download your certificate and private key on the certificate management page.
    • You manually generate a CSR file and paste the content of the CSR file into the text box. For more details, see How Do I Make a CSR File?

    You are advised to select System generated CSR to avoid approval failure caused by incorrect content. For details about the differences between the two types of certificate request files, see What Are the Differences Between the CSR Generated by the System and the CSR Made by Yourself?

    System generated CSR

    Domain Name

    This parameter is displayed when you purchase a single-domain or wildcard-domain certificate.

    • If you select Upload a CSR for CSR, the domain name is automatically parsed based on the CSR file. You do not need to manually enter the domain name.
    • If you select System generated CSR for CSR, manually enter the domain name or wildcard domain to be associated with the certificate.

      Single domain: If your domain is www.domain.com, enter www.domain.com for Domain Name.

      Wildcard domain: If you have multiple domain names that are all the same level, for instance, test.huaweicloud.com, yun.huaweicloud.com, example.huaweicloud.com, and good.huaweicloud.com, you can use a wildcard to enter a single domain name that would include them all, in this case: *.huaweicloud.com.

    www.domain.com

    Domain Name Verification Method

    In accordance with the CA specifications, after applying for a certificate, you need to work with the CA to verify ownership of the associated domain name. After your ownership of the domain name is verified by you and approved by the CA, the CA will issue the certificate.

    Options:

    • DNS: You need to verify the domain ownership by resolving a specific DNS record on the domain name management platform.
      • Automatic DNS verification: The system automatically adds DNS records for verification.

        If you have purchased DV (domain name) certificate, and you have registered a domain name on the Huawei Cloud platform and the domain name has been resolved by Huawei Cloud DNS, you can choose this verification method.

      • Manual DNS verification: You need to go to the DNS service provider of the domain name to perform the verification.
    • File: You need to create a specified file on the server to verify your ownership of the domain.
    • Email: You can click the link and follow the directions in the email to verify ownership of the domain.
    NOTE:
    • DV (basic) certificates (GeoTrust entry-level SSL certificates and DigiCert free SSL certificates) are verified by DNS by default.

    Manual DNS verification

  6. After confirming that the entered information is correct, read through the Cloud Certificate Manager Statement, Privacy Statement, and the authorization statement, and check the box to agree to the disclaimer and statements

    If the certificate is not being reviewed, you can cancel the authorization for privacy information. Once you revoke the authorization, the platform will no longer store your information. The contact name, phone number, email address, and organization details will be deleted. For more details, see Canceling Authorization for Privacy Information.

  7. Click Submit.

    1. After you submit the reissue application, the certificate status has changed to CA verifying (reissue).
    2. The CA will send an email to you within one to two working days to confirm the cancellation of the issued certificate. After you confirm the email, the CA will cancel the issued certificate and the certificate will enter the reissue process.

      If you have modified the domain name or information about the company contact or authorizer, the certificate is in the Pending domain name verification status after the original certificate is canceled. The certificate can be reissued only when you complete Verifying Domain Name Ownership and Verifying the Organization (OV and EV) (required only for OV, OV Pro, EV, and EV Pro certificates).