How to Rotate an SSL Certificate Zero-Downtime
SSL rotation = replacing the cert before expiry. Correct flow: 30 days before expiry obtain a new cert, drop it next to the old one, hot-reload the web server. Clients in handshake don't notice. Let's Encrypt auto-renews via the certbot timer; commercial CA = manual renew + replace fullchain.pem + reload.
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
- 30 days before expiry set up auto-renew or a manual rollout calendar
- Let's Encrypt:
certbot renew --dry-run— verify renew logic without writing - Issue the new cert:
certbot renewor download from commercial CA - Replace
fullchain.pem+privkey.pemin the nginx config path - Hot-reload (no stop):
nginx -t && nginx -s reload(or systemctl reload nginx) - Verify via Enterno SSL checker that the new cert is live
- Monitor the next 24h — no Cloudflare 525/526 if used
Working Examples
| Scenario | Config |
|---|---|
| Let's Encrypt auto-renew timer | systemctl enable --now certbot.timer # renews + reload nginx hook |
| Force renew before expiry | certbot certonly --force-renewal -d example.com -d www.example.com |
| Renew on Nginx Plus | nginx -s reload # zero-downtime worker restart |
| Commercial CA manual | cat cert.pem intermediate.pem > fullchain.pem; cp fullchain.pem /etc/ssl/; nginx -s reload |
| Check active cert dates | openssl x509 -in /etc/letsencrypt/live/example.com/fullchain.pem -noout -dates |
Common Pitfalls
- Forgetting OCSP stapling bundle with the new cert — TLS handshake slows down
- Renewing only server cert without intermediate — ERR_CERT_AUTHORITY_INVALID for clients
- Not reloading the server after replace — files updated but nginx holds the old cert in memory
- Renewing 5 days before expiry — no buffer if something breaks
- Cloudflare Full (strict) + legacy origin cert — verify the chain directly against origin
Why teams trust us
How it works
Enter domain
TLS chain verified
Expiry date & vulnerabilities
What Does the SSL Check Cover?
SSL/TLS is the encryption protocol that protects data between the browser and server. Our tool analyzes the certificate, chain of trust, TLS version, and knownvulnerabilities.
Certificate Details
Issuer, validity period, signature algorithm, covered domains (SAN), and validation type (DV/OV/EV).
Chain of Trust
Full chain verification: from leaf certificate through intermediates to root CA.
TLS Analysis
Protocol version (TLS 1.2/1.3), cipher suites, Perfect Forward Secrecy (PFS) support.
Expiry Alerts
Set up a monitor — get Telegram and email alerts 30/14/7 days before expiration.
DV vs OV vs EV Certificates
- Confirms domain ownership only
- Issued in minutes automatically
- Free via Let's Encrypt
- Suitable for most websites
- Most common certificate type
- Organization (OV) or Extended Validation (EV)
- Issued in 1-5 business days
- Costs $50 to $500/year
- For finance, e-commerce, government sites
- Increases user trust
Who uses this
DevOps
SSL certificate monitoring
Security
TLS config audit
SEO
HTTPS as ranking factor
E-commerce
customer trust
Common Mistakes
www and subdomains.Best Practices
Strict-Transport-Security header forces browsers to always use HTTPS.Get more with a free account
SSL certificate monitoring, check history and alerts 30 days before expiry.
Sign up freeLearn more
How-to
Frequently Asked Questions
How often does Let's Encrypt renew?
Certbot auto-renew fires when <30 days to expiry. LE cert validity is 90 days → ~6 renews/year.
Do I need restart or just reload?
Reload (SIGHUP) is enough — worker processes re-init gracefully. Restart = downtime.
How to auto-reload on renew?
Certbot deploy hook: <code>certbot renew --deploy-hook "systemctl reload nginx"</code> or at /etc/letsencrypt/renewal-hooks/deploy/reload-nginx.sh.
What if the cert expired?
Urgent renew + reload. If <code>certbot renew</code> fails due to rate limits: <code>certbot certonly --force-renewal</code>.