How to Renew or Replace an SSL Certificate

An SSL certificate must be renewed before it expires, otherwise browsers may start showing security warnings and some services may stop working correctly. In a managed hosting environment, the renewal process is usually straightforward, but it can still require attention to certificate type, validation method, private key handling, and web server configuration. If your website uses HTTPS, the safest approach is to renew or replace the certificate a little before the expiry date and then verify that the new certificate is installed correctly on all domains, subdomains, and services that depend on it.

In most cases, you renew an SSL certificate when you want to keep the same certificate identity on the same hostname, and you replace it when you need a new certificate because the domain has changed, the private key was lost, the certificate was issued incorrectly, or the current certificate no longer matches the way the site is configured. This article explains both workflows in a hosting control panel environment such as Plesk, and includes practical checks for Apache-based hosting setups, common errors, and cleanup steps after renewal.

When you should renew or replace an SSL certificate

You should renew an SSL certificate before it expires, ideally several days in advance. Waiting until the last day can create avoidable downtime if validation is delayed or if the certificate authority needs additional verification.

Replace the certificate instead of renewing it when one of the following applies:

• The domain name has changed and the current certificate no longer covers the correct hostname.
• The private key is missing, corrupted, or no longer available.
• The certificate was issued to the wrong Common Name or SAN list.
• You need a different certificate type, such as a wildcard or multi-domain certificate.
• The certificate was installed on the wrong subscription, website, or service.
• You are moving from a self-signed certificate to a publicly trusted certificate.

If the certificate is still valid but you need to update the certificate chain, enable automatic renewal, or correct the web server binding, a replacement installation may solve the issue without changing the hostname.

Check the current certificate status first

Before you start, confirm what is currently installed and where it is used. In a hosting control panel, the same certificate may be attached to multiple services, such as the main website, mail, webmail, and additional domains.

What to verify

• Expiry date
• Domain name on the certificate
• Subject Alternative Names (SANs), if present
• Issuer and certificate chain
• Whether the private key matches the certificate
• Which websites or services are using the certificate

If you are using Plesk, open the domain’s SSL/TLS settings or the hosting settings area and review the installed certificate details. If the certificate is managed by the control panel, you may also see a renewal option, expiration notice, or integration with a certificate authority such as Let’s Encrypt.

Renewing an SSL certificate in a hosting control panel

Renewal usually means issuing a new certificate for the same domain while keeping the service configuration in place. In many hosting platforms, this is handled automatically if the certificate is linked to a supported provider and the domain still passes validation.

Typical renewal steps in Plesk or similar control panels

1. Log in to the control panel.
2. Open the domain or subscription that uses HTTPS.
3. Go to the SSL/TLS or Let’s Encrypt section.
4. Review the certificate expiry date and select renewal.
5. Choose the correct hostnames to include, such as the apex domain and www version.
6. Confirm validation details, usually HTTP-01, DNS-01, or email-based validation depending on the provider.
7. Start the renewal process and wait for issuance.
8. Apply the renewed certificate to the website and any related services.

After renewal, the control panel may update the certificate automatically. However, you should still verify the live site, because a successful issuance does not always mean every service is pointing to the new certificate.

Automatic renewal vs manual renewal

Automatic renewal is the preferred option in managed hosting because it reduces the chance of expiry-related downtime. For example, Let’s Encrypt certificates are often renewed automatically when the domain remains reachable and validation passes. Manual renewal is still useful when:

• the certificate provider does not support automatic renewal,
• the domain’s DNS or web routing has changed,
• validation failed and needs correction,
• you are replacing the certificate with a new one from another provider.

Replacing an SSL certificate manually

When renewal is not possible, you need to replace the certificate. This is common when migrating hosting, rebuilding the server, or correcting an installation issue. A replacement typically involves generating a new CSR, obtaining a new certificate, and installing the certificate together with the private key and intermediate chain.

Step 1: Generate a new private key and CSR

If you no longer have the original private key, generate a new one. The CSR must match the exact domain names you want protected. Include all needed hostnames, such as:

• example.eu
• www.example.eu
• shop.example.eu
• mail.example.eu, if mail services are secured with the same certificate

In Plesk, the control panel can generate the CSR for you. If you use Apache or another web stack directly, generate the key and CSR using your server tools or a trusted certificate workflow.

Step 2: Submit the CSR to your certificate provider

After generating the CSR, send it to your SSL provider or certificate authority. Complete domain validation as required. Depending on the certificate type, this may require:

• adding a DNS TXT record,
• placing a verification file in the website root,
• confirming an approval email sent to a domain contact.

If the hosting account uses a staging or temporary domain for validation, make sure the final certificate is issued for the public production hostname, not the temporary address.

Step 3: Install the new certificate

Once the certificate is issued, install it in the control panel together with the private key and the full certificate chain. In many hosting environments, the certificate chain is required for browsers and mobile devices to trust the site correctly. Missing intermediates can cause incomplete trust errors even when the certificate itself is valid.

For Apache-based hosting, the certificate is usually applied through the virtual host configuration or the control panel’s SSL manager. In a managed platform, the panel often writes the necessary configuration automatically after you save the certificate.

Step 4: Assign the certificate to all relevant services

Do not stop at the main website. Check whether the certificate also needs to be applied to:

• the www version of the site,
• additional subdomains,
• mail services such as IMAP, POP, and SMTP,
• webmail,
• any reverse proxy or load balancer termination point.

If different services use different certificates, users may see mixed trust behavior depending on what they open first.

How to replace a certificate in Plesk

In Plesk, the exact labels may differ slightly by version, but the workflow is usually similar. Open the domain, go to the SSL/TLS Certificates area, and either renew the existing certificate through the integrated provider or upload a new one.

Common Plesk paths

• Domains → select the domain → SSL/TLS Certificates
• Extensions → Let’s Encrypt or another SSL extension
• Hosting Settings → enable SSL/TLS support and select the certificate

After upload or renewal, confirm that the certificate is selected in the hosting settings. If your site uses both HTTP and HTTPS, enable redirect rules only after the certificate is installed and tested successfully.

Important Plesk checks after replacement

• The certificate status shows as valid.
• The correct domain names are included.
• The web hosting settings point to the new certificate.
• Mail services use the intended certificate if needed.
• Let’s Encrypt or another auto-renewal job is enabled, if available.

How to verify the new certificate is working

After renewing or replacing the certificate, test the live site in a browser and check the certificate details. Make sure the browser shows a secure connection and the hostname matches exactly. A valid certificate for the wrong domain is still a failure from the user’s point of view.

Verification checklist

• Visit the site using HTTPS.
• Check that the padlock or secure indicator appears.
• Open certificate details and confirm the expiry date.
• Confirm the Common Name or SANs include the correct hostnames.
• Test both the apex domain and www version.
• Check subdomains if they should be protected.
• Verify mail or webmail certificates if those services use the same certificate.

If the site still shows the old certificate, clear browser cache and test from a private window. In some cases, a CDN, proxy, or caching layer may still serve old TLS metadata until it is refreshed.

Common problems after renewing or replacing an SSL certificate

The browser still shows the old certificate

This can happen when the web server has not reloaded the new certificate, the wrong virtual host is active, or a proxy layer is terminating HTTPS before the origin server. Restart or reload the web service if needed, then test again. In managed hosting, verify that the certificate was assigned to the correct subscription and service.

Certificate name mismatch

If the hostname in the browser does not match the certificate, the certificate may have been issued for the wrong domain or missing SAN entries. Reissue the certificate with every required hostname included. This is especially important for sites that respond on both example.eu and www.example.eu.

Incomplete certificate chain

Some browsers and devices require the full chain, including intermediate certificates. If the chain is missing or incomplete, users may see trust warnings. Install the full chain provided by the certificate authority, or use the control panel’s built-in option to include intermediates automatically.

HTTPS redirects loop or fail

After installing a new certificate, a redirect loop can appear if the web server, application, or CDN has inconsistent redirect rules. Check whether:

• the application forces HTTPS while the server already does so,
• the proxy passes the correct X-Forwarded-Proto header,
• mixed redirect rules conflict between .htaccess and panel settings.

Mail clients show certificate warnings

If you use the same certificate for mail services, the mail hostname must also match the certificate. A certificate issued only for the website may not be valid for mail.example.eu. Reassign or replace the certificate for mail services if required.

Apache-specific considerations

On Apache-based hosting, SSL problems often come from virtual host configuration rather than the certificate file itself. After renewal or replacement, Apache must reference the correct certificate, private key, and chain file for the HTTPS virtual host. If you have access to the server configuration, check that the SSL directives point to the updated files and that the correct name-based virtual host is active.

What to check in Apache

• SSLCertificateFile points to the new certificate.
• SSLCertificateKeyFile matches the installed private key.
• SSLCertificateChainFile or equivalent chain configuration is correct, if used.
• The HTTPS virtual host matches the intended domain.
• Apache was reloaded after the change.

If the hosting platform manages Apache for you, use the control panel rather than editing configuration files directly. This reduces the chance of configuration drift and ensures the panel keeps renewal settings consistent.

Mixed content cleanup after SSL renewal

Renewing the certificate does not fix mixed content. If the page still loads images, scripts, stylesheets, or fonts over HTTP, browsers may continue to display security warnings or reduced security indicators. After replacing the certificate, review the website for hardcoded HTTP links.

Useful cleanup steps

• Search the site source for http:// references.
• Update internal links to use https:// or relative paths.
• Check theme files, templates, and CMS settings.
• Clear application and CDN caches.
• Test with browser developer tools to identify blocked resources.

In many CMS platforms, the base URL and site URL must also be updated to HTTPS so new content is generated with secure links.

Best practices for SSL renewal in managed hosting

• Set renewal reminders before expiration, even if auto-renewal is enabled.
• Keep DNS records stable during validation windows.
• Use the same hostname pattern across website, redirect, and mail services.
• Always install the full chain, not just the leaf certificate.
• Test from multiple browsers and devices after renewal.
• Document where each certificate is used inside the hosting account.
• Review renewal logs if the control panel reports an error.

These habits reduce the chance of unexpected failures, especially in environments where one hosting account contains multiple sites, add-on domains, or separate services under the same SSL policy.

When you should contact hosting support

Contact support if the certificate renews successfully but the live site still shows an old or invalid certificate, if the control panel cannot assign the certificate to the correct domain, or if validation keeps failing even after DNS and web access have been verified. Support can also help if the issue affects Apache configuration, reverse proxy behavior, or a service that is not visible in the standard website settings.

It is especially helpful to provide the following information when requesting assistance:

• the domain name involved,
• the certificate provider,
• the expiry date or error message,
• screenshots of the control panel certificate settings,
• whether the problem affects the website, mail, or both.

FAQ

Can I renew an SSL certificate before it expires?

Yes. In most hosting environments, renewal before expiry is recommended and often supported automatically. Early renewal helps avoid downtime and gives time to fix validation issues.

Do I need a new CSR when renewing?

Not always. If the provider supports renewal using the existing key and certificate profile, a new CSR may not be necessary. However, if you are replacing the certificate, changing the domain list, or no longer have the private key, a new CSR is required.

What is the difference between renewal and replacement?

Renewal issues a new certificate for the same setup, usually with the same hostname coverage. Replacement is used when you need a new certificate because the old one is unsuitable, missing, incorrect, or no longer available.

Why does my browser still show a warning after renewal?

Common causes include a mismatched hostname, missing intermediate certificate, stale proxy cache, or mixed content on the page. Check the certificate details and verify the full chain.

Can one certificate secure both the website and mail?

Yes, if the certificate includes the correct names for both services and the hosting platform allows it. Many setups use one certificate for the website and a separate certificate for mail services, depending on hostname coverage and policy.

What happens if I miss the expiry date?

If the certificate expires, browsers will show warnings and some users will not be able to continue safely. In some cases, automated tasks or API clients may also fail. Renew or replace the certificate as soon as possible and verify that the correct certificate is active.

Conclusion

Renewing or replacing an SSL certificate is a routine but important part of website maintenance in managed hosting. The key steps are to confirm what is currently installed, decide whether renewal or replacement is needed, issue the certificate with the correct hostnames, install the full chain, and verify that all relevant services use the new certificate. In Plesk and similar control panels, most of this can be handled from the SSL/TLS section, but it is still important to test the live site, check Apache or proxy bindings when applicable, and clean up any mixed content after the change.

By renewing in advance and validating the final result carefully, you can keep HTTPS working reliably for visitors across Europe and avoid common certificate-related cleanup problems.