How to renew SSL/TLS or S/MIME certificates in a few simple steps to ensure security

Renewing your SSL/TLS or S/MIME certificates is crucial for your digital security. Learn here how to renew them in a few simple steps and what to consider so you benefit from the trust of the Swiss certificate authority.

Limited certificate validity period for security reasons

SSL/TLS certificates are valid for a limited time only – one year for our SSL/TLS certificates and one or two years for our email certificates (as of June 2025). Once they expire, your website loses its secure connection or it is no longer possible to sign and encrypt your emails. This not only risks compromising your users’ data or increases the likelihood of email attacks, but it can also damage trust in your brand. By renewing your certificate in good time, you are ensuring that both your website and your emails remain encrypted and trustworthy.

A new certificate to replace the expired one

Technically, SSL/TLS certificates are not renewed by being extended. Instead, a new certificate is created to replace your existing one. This is necessary to ensure maximum security, as new key pairs are generated and the latest encryption standards are applied (technical term: 're-key').

You can choose between manual renewal (instructions) or automation using a managed public key infrastructure (more on this).

Renew your certificate at least 30 days before expiry

SSL/TLS certificates can be renewed at any time. We recommend starting this process at least 30 days before the expiry date to avoid potential delays or interruptions. This ensures your website or email inbox remains secure and user-friendly at all times.

Pay attention to your key pairs

A new key pair is generated when a certificate is updated, so both the private key and the public key are updated. Be sure to store your private key securely and never share it with anyone.

Manual updating in practice: a step-by-step guide – without MPKI

1. Order a certificate: Select your desired certificate further down here on this page – consider whether you would also like to change the certificate type. A multi-domain certificate, for example, allows you to protect any number of domains and subdomains, making it ideal for larger companies and projects.
2. Create a certificate signing request (CSR): once you have bought your certificate, you will receive a voucher code and a link from us. Use them to complete the certificate issuance or signing application and start what is known as the certificate signing request (CSR).
3. We will review your application: confirm your identity through domain validation (DV), organisation validation (OV) or extended validation (EV). The higher the trust level you would like for your website or your emails, the higher the validation level should be. You will find an overview of the different levels here. This step is unnecessary if you obtain your certificates through the Managed PKI service.
4. SwissSign issues the certificate.
5. Install the certificate: after it has been issued, download the new certificate and install it on your server. You will find our general certificate purchase guide here.