Skip to content

Reissuing certificates in TLS Protect Cloud

Reissuing a certificate allows you to replace an existing SSL/TLS certificate while keeping the same order and expiration date. This process is useful for modifying certificate details, such as the common name (CN) or subject alternative names (SANs), or when a private key has been lost or compromised. TLS Protect Cloud provides an integrated way to manage certificate reissuance.

Note

Currently, certificate reissuance in TLS Protect Cloud is supported only for the DigiCert CA.

Difference between reissuance and renewal

While both reissuance and renewal involve obtaining a new certificate, they serve different purposes:

  • Reissuance replaces an existing certificate while keeping the original order ID and expiration date.
  • Renewal issues a new certificate with an extended validity period, in the process creating a new order ID.

If a certificate is outside its renewal window, TLS Protect Cloud attempts reissuance instead. If it is within the renewal window, TLS Protect Cloud proceeds with renewal. DigiCert reissues certificates free of charge, however, certificate renewals incur a renewal cost.

About validity

Certificates renewed with DigiCert result in two valid certificates at the same time for a short period (typically 30 days). This allows you to install and test your renewed certificate, ensuring there is no certificate-related outage.

The renewed certificate's extended validity covers the selected duration of the new certificate (90 days, for example) plus the remaining number of days on the renewed certificate. This allows you to renew anytime during the renewal window without losing any of your remaining validity period. This extended validity is available because when you renew, the order is linked to a prior DigiCert order.

If the renewing CA doesn’t recognize the certificate, TLS Protect Cloud issues a new certificate using the renewing CA. We sometimes refer to this as net new issuance or standard issuance. This is when you purchase a new certificate, but it is not a renewal of a prior order. In this case, you typically pay the same amount as a certificate renewal, but there is no additional validity period, making this a more expensive option overall.

Certificate reissuance and renewal process

When starting the Renew/Reissue wizard in TLS Protect Cloud, the following logic determines the certificate request outcome:

  1. If outside the renewal window:

    • TLS Protect Cloud attempts to reissue the certificate.

    • If reissuance fails, you'll see an error, and the process stops.

      There are several reasons that a reissuance request might fail. For example, if the certificate signing request (CSR) is invalid DigiCert rejects the reissuance request. You need to correct the issue before you'll be able to get the certificate reissued.

      Exception: If reissuance fails because the original certificate is not found at the CA, TLS Protect Cloud automatically proceeds with standard issuance. This process, known as CA agility in TLS Protect Datacenter, enables transitioning a certificate from one CA to another.

  2. If inside the renewal window:

    • TLS Protect Cloud attempts to renew the certificate.

    • If renewal fails for any reason, TLS Protect Cloud automatically falls back to standard issuance without any user intervention.

  3. Standard certificate issuance:

    • This is the default (and most expensive) option.

    • It applies when neither reissuance nor renewal is successful.

The following diagram illustrates this decision process:

graph TD
    A(["⮕ Certificate renewal/reissue initiated"]) -->|Outside renewal window?| B{"Outside window?"}
    B -->|Yes| C["Attempt reissuance"]
    B -->|No| D["Attempt renewal"]

    C -->|Reissuance fails?| E{"Reissuance fails?"}
    E -->|Yes| F["Report error to client"]
    E -->|Exception: Cert not found at CA| G["Proceed with standard issuance"]
    E -->|No| H["Reissuance successful"]

    D -->|Renewal fails?| I{"Renewal fails?"}
    I -->|Yes| J["Proceed with standard issuance"]
    I -->|No| K["Renewal successful"]

Setting the renewal window

The default renewal window for the DigiCert CA is 32 days. If you need a different window, you can customize it when configuring the DigiCert CA connection.

Reissuing a certificate

To reissue a certificate, follow the steps in Renewing a certificate manually. If the certificate is outside the renewal window, TLS Protect Cloud automatically reissues it instead of renewing it, since the reissuance option is free of charge.

You cannot change a certificate’s expiration date through reissuance. No matter what expiration you enter in the wizard, the new certificate will retain the original certificate’s expiration date. TLS Protect Cloud first checks whether the certificate is in the renewal window. If it is, the certificate is renewed based on the renewal wizard settings. If it is outside the renewal window, it is automatically reissued with the original order's expiration date.

Logging and auditing

TLS Protect Cloud logs reissuance events separately from renewals and new certificate requests, providing visibility into certificate lifecycle changes. This helps administrators track when and why a certificate was reissued and ensures compliance with security policies.

For details on viewing the event log, see event logging.

Other reissuance notes and considerations

When to reissue a certificate

Reissuance is typically used in the following scenarios:

  • Lost or compromised private key – If the private key associated with a certificate is lost or no longer accessible, reissuance allows you to generate a new key pair and obtain a new certificate.
  • Modifying certificate details – You can update the common name (CN) or adjust subject alternative names (SANs) while keeping the existing order.
  • Operational needs – If an existing certificate needs replacement due to configuration changes, reissuance provides a seamless way to do so without affecting the certificate order.

DigiCert provides reissuance as a free service for certificate owners.

Security considerations for reissuance

While reissuance is a flexible option, follow these security best practices:

  • Key management – If a private key is lost, generate a new key pair during reissuance to prevent unauthorized access.
  • Key compromise – If a private key is suspected to be compromised, revoke the certificate instead of reissuing it. Revocation ensures the compromised certificate is no longer trusted by clients and servers.

When DigiCert reissues a certificate, the original certificate is marked as revocation pending, and the original certificate is no longer valid.

When revocation is required instead of reissuance

Reissuance is not an option if a certificate has already been revoked. Revocation permanently invalidates a certificate, requiring a new certificate request. This is particularly important in cases of key compromise, where an attacker may still possess the private key even after reissuance.