System Administration

Your 5-Step Guide to Replacing TLS Certificates in 2025

Is your TLS certificate expiring? Our 5-step guide for 2025 makes replacing SSL/TLS certificates easy, from CSR generation to server installation.

David Carter

A Senior Systems Engineer with over 15 years of experience in network security.

September 8, 20257 min read21 views

That little padlock in your browser’s address bar does a lot of heavy lifting. It’s the digital handshake that tells visitors your site is authentic and their data is safe. But these TLS/SSL certificates have a lifespan, and when they expire, that trust—and your site's accessibility—vanishes. Don't let an expired certificate cause a frantic, site-down emergency.

This guide will walk you through the entire replacement process in five manageable steps. Let’s turn a potential crisis into a calm, routine task for 2025.

Step 1: The Audit – Know What You Have

You can't fix what you can't find. Before you can replace a certificate, you need a complete inventory. Forgotten certificates on old subdomains or internal applications are a common source of security incidents and unexpected outages. It's time to play detective.

Create Your Certificate Inventory

Open up a spreadsheet or use a dedicated inventory tool. For each certificate your organization uses, you need to track:

Common Name & Subject Alternative Names (SANs): Which exact domains and subdomains does it cover? (e.g., www.yourdomain.com, api.yourdomain.com)
Expiration Date: This is the most critical piece of information. Sort your list by this date to prioritize your work.
Issuing Certificate Authority (CA): Who did you get it from? (e.g., DigiCert, Sectigo, Let's Encrypt)
Location of Installation: Where is this certificate actually living? It could be on a web server (like Nginx or Apache), a load balancer (like an F5 or HAProxy), a CDN, or even a mail server.
Certificate Type: Is it a simple Domain Validated (DV) cert, an Organization Validated (OV) one, or something more complex like a Wildcard (*.yourdomain.com) or Multi-Domain (SAN) certificate?

This inventory is now your single source of truth. It prevents panic and ensures no server is left behind. Start this process at least 60-90 days before your first certificate is set to expire.

Step 2: Generate Your CSR (Certificate Signing Request)

With your audit complete, it's time to create a Certificate Signing Request (CSR). This is a block of encoded text containing the information that will be included in your certificate, like your domain name and organization details. You'll give this CSR to the Certificate Authority, and they'll use it to generate your final certificate.

Using OpenSSL

The most common way to generate a CSR is with the OpenSSL command-line tool, which is available on most Linux servers and macOS.

openssl req -new -newkey rsa:2048 -nodes -keyout yourdomain_com.key -out yourdomain_com.csr

Let's break that down:

-new -newkey rsa:2048: This creates a new request and a new 2048-bit RSA private key. 2048-bit is the current industry standard.
-nodes: This stands for "no DES," meaning it won't encrypt your private key with a passphrase. While a passphrase adds security, it also requires you to enter it every time your web server restarts, which can complicate automation.
-keyout yourdomain_com.key: This is your brand new private key. Guard this file with your life. Never share it or email it.
-out yourdomain_com.csr: This is the CSR file you'll submit to the CA.

When you run the command, you'll be prompted for information like your Country, State, Organization Name, and most importantly, the Common Name. The Common Name must be the fully qualified domain name (FQDN) you want to secure (e.g., www.yourdomain.com).

Security First: The .key file is your private key. It's the secret that proves your identity. If it's compromised, an attacker can impersonate your server. Keep it secure and set its file permissions so only the root or web server user can read it.

Step 3: Choose, Purchase, and Validate Your New Certificate

Now you take your CSR to a Certificate Authority (CA) to get your new certificate. But which type do you need? The choice primarily comes down to the level of trust and validation you want to display to your users.

Comparing Certificate Types

Here’s a quick comparison to help you decide:

Feature	Domain Validated (DV)	Organization Validated (OV)	Extended Validation (EV)
Validation Method	Automated check of domain control (Email, DNS, or HTTP file)	Manual check of organization's legal existence and domain control	In-depth vetting of the organization's legal, physical, and operational existence
Issuance Time	Minutes	1-3 Business Days	2-7+ Business Days
Trust Indicator	HTTPS & Padlock Icon	HTTPS & Padlock, with organization name visible in certificate details	HTTPS & Padlock, with organization name more prominent in certificate details
Best For	Blogs, personal sites, internal services where brand trust isn't paramount	Business websites, e-commerce, APIs where establishing brand identity is important	Banks, financial institutions, large enterprises requiring the highest level of trust
Cost	$ (or free with CAs like Let's Encrypt)	$$	$$$

After you purchase your chosen certificate and submit your CSR, the CA will begin the validation process. For a DV certificate, this is as simple as adding a specific DNS record or uploading a file to your web server. For OV and EV, expect them to verify your business through official records.

Step 4: The Main Event – Installation & Configuration

Once validation is complete, the CA will provide you with your new certificate files. This is the most technical step, but it’s straightforward if you follow a clear process.

You'll typically receive at least two files: your server certificate (e.g., yourdomain_com.crt) and an intermediate/chain certificate (e.g., ca-bundle.crt). The intermediate certificate chains your cert back to the CA's trusted root.

Server Configuration

First, always back up your current web server configuration file!

Upload your new certificate files and the private key you generated in Step 2 to a secure directory on your server (e.g., /etc/ssl/certs/).
Update your web server's configuration to point to these new files.

Example for Nginx:

In your site's server block (e.g., /etc/nginx/sites-available/yourdomain.conf), update these two lines. Note: It's common practice to concatenate your certificate and the CA bundle into a single file.

# Concatenate your cert and the CA's bundle first:
# cat yourdomain_com.crt ca-bundle.crt > yourdomain_com_chain.crt

server {
    listen 443 ssl;
    server_name www.yourdomain.com;

    ssl_certificate /path/to/your/yourdomain_com_chain.crt; # New chained certificate
    ssl_certificate_key /path/to/your/yourdomain_com.key;  # Your private key
    ...
}

Example for Apache:

In your virtual host file (e.g., /etc/apache2/sites-available/yourdomain-ssl.conf), update these directives:

<VirtualHost *:443>
    ServerName www.yourdomain.com

    SSLEngine on
    SSLCertificateFile /path/to/your/yourdomain_com.crt;         # New certificate
    SSLCertificateKeyFile /path/to/your/yourdomain_com.key;      # Your private key
    SSLCertificateChainFile /path/to/your/ca-bundle.crt;       # The CA's bundle
    ...
</VirtualHost>

After saving your configuration changes, run a syntax check (nginx -t or apachectl configtest) and then gracefully restart your web server service to apply the new certificate.

Step 5: Verify, Clean Up, and Automate for Next Time

You're not done just yet! Verification is a non-negotiable final step to ensure everything is working correctly.

Verify the Installation

Browser Check: Open your website in a new incognito window to avoid caching issues. Click the padlock icon in the address bar and inspect the certificate. Confirm that the "Valid from" and "Valid to" dates reflect your new certificate.
Online SSL Checker: Use a tool like the Qualys SSL Labs Server Test. This free service provides a deep analysis of your TLS configuration, giving you a grade from A+ to F. It will immediately flag common problems like a missing intermediate certificate (a "chain issue").

Clean Up and Reminders

Once you've confirmed the new certificate is working perfectly, you can safely delete the old, expired certificate files from your server to avoid confusion later. More importantly, update your inventory spreadsheet from Step 1 with the new expiration date.

Set a calendar reminder for the next renewal! Don't just set one for the day before it expires. Set reminders for 90, 60, and 30 days out to give yourself plenty of time.

Think Automation

For many use cases, especially with DV certificates, manual renewal should be a thing of the past. Look into using the ACME protocol with a client like Certbot, which works with free CAs like Let's Encrypt. It can fully automate the process of obtaining and renewing certificates, eliminating the risk of human error and expired-certificate-emergencies.

Key Takeaways

Replacing a TLS certificate doesn't have to be a fire drill. By following these five steps—Audit, Generate CSR, Validate, Install, and Verify—you create a predictable, low-stress process. A well-maintained certificate inventory, combined with a move towards automation, is the foundation of a healthy and secure web presence.