Search... ⌘ K
Get Started Contact Sales

SSL Certificate Lifecycle

Table of Contents

An SSL certificate is not a one-time purchase. It has a defined validity period and goes through several stages during its life. Understanding these stages — and how they connect — helps you keep your site secured without interruption and plan for upcoming validity changes.

Overview of the stages

Every SSL certificate follows the same general path:

  1. Choose a certificate product
  2. Order the certificate
  3. Validate domain ownership
  4. Issue the certificate
  5. Install the certificate on your server
  6. Monitor the certificate for upcoming expiration
  7. Renew (or reissue) before expiration
  8. Expire — if the certificate is not renewed in time

The specifics at each stage differ depending on whether you use a Sectigo certificate or a Let’s Encrypt certificate, but the overall path is the same.

Choose

Before ordering, decide which certificate product fits your situation. DNSimple offers four products — Sectigo single-name, Sectigo wildcard, Let’s Encrypt single-name/SAN, and Let’s Encrypt wildcard — each with different trade-offs around cost, automation, and name coverage.

If you are unsure which product to choose, review the SSL/TLS Certificates overview and the comparison between Sectigo and Let’s Encrypt to understand the differences. You may also want to review the different SSL certificate types to understand validation levels and secured-domain options.

Order

Ordering creates a certificate request with the certificate authority (CA). During the order, you select the host names the certificate will cover and, for Sectigo certificates, choose a signature algorithm (ECDSA or RSA).

If you are renewing an expiring certificate, DNSimple’s renewal interface reuses most of the settings from the previous certificate to simplify this step. See Renewing an SSL Certificate.

Validate

Before a CA will issue a certificate, it must confirm that the requester controls the domain. This process is called domain validation.

The validation method depends on the certificate type:

  • Sectigo certificates use email-based validation. The CA sends a verification email to an administrative address at the domain (e.g., admin@example.com), and the domain owner must click a link in that email to approve the certificate.
  • Let’s Encrypt certificates use DNS-based validation. DNSimple automatically creates the required DNS records and submits the challenge to Let’s Encrypt — no manual action is needed, provided the domain resolves with DNSimple.

Warning

Validation must be completed for every new certificate, including renewals. If you don’t complete validation, the certificate will not be issued.

Issue

Once validation succeeds, the CA issues the certificate. Issuance time varies:

  • Let’s Encrypt: Typically 30–60 minutes, because validation is automated.
  • Sectigo: Typically about an hour after email approval, though delays of up to several days can occur if there are issues with the domain configuration or CAA records.

When the certificate is issued, DNSimple sends an email notification. If you use webhooks, a webhook event is also triggered.

Install

An issued certificate must be installed on your web server (or hosting platform) before it can secure traffic. Installation involves downloading the certificate, the intermediate certificate chain, and — if DNSimple generated the CSR — the private key. These files come in different formats depending on your platform and are then configured on your server.

DNSimple provides an installation wizard with platform-specific instructions for Heroku, Azure, NGINX, Apache, and Microsoft IIS.

Note

Issuing a certificate does not automatically secure your site. The certificate must be installed on your server for HTTPS to work.

Monitor

After installation, the certificate is active and securing traffic. DNSimple sends expiration notifications as the certificate approaches its expiration date, giving you time to renew.

For Let’s Encrypt certificates with auto-renewal enabled, DNSimple automatically handles renewal 30 days before expiration. For Sectigo certificates, you will need to renew manually.

Renew

SSL certificate renewal is effectively a new certificate purchase. There is no way to extend the validity of an existing certificate — a completely new certificate is issued, validated, and installed in place of the old one. DNSimple’s renewal interface simplifies this by reusing settings from the expiring certificate.

For a detailed explanation of how renewal works, see How does an SSL Certificate Renewal work?.

If a certificate’s private key has been compromised or lost, you may need to reissue rather than renew. Reissuing generates a new key and CSR while keeping the certificate’s validity period.

Expire

If a certificate is not renewed before its expiration date, it becomes invalid. Browsers will display a security warning to visitors, and HTTPS connections will fail.

Expiration dates depend on the certificate type and when it was issued:

  • Let’s Encrypt certificates are valid for 90 days.
  • Sectigo certificates issued on or after March 15, 2026 are valid for a maximum of 200 days. This maximum will continue to decrease to 100 days (March 2027) and 47 days (March 2029).

Sectigo vs. Let’s Encrypt Lifecycle Differences

The lifecycle stages are the same for both certificate types, but the specifics differ at each stage – particularly around validation, automation, and validity periods. For a full side-by-side comparison of features, pricing, and capabilities, see Sectigo vs Let’s Encrypt SSL Certificates.

The most significant lifecycle difference is automation: Let’s Encrypt certificates support DNS-based validation and auto-renewal, making the entire renewal cycle hands-off. Sectigo certificates require email-based validation each time, so every renewal involves manual action.

Shorter Validity, Faster Cycles

As certificate lifetimes continue to shrink under CA/Browser Forum rules, the full lifecycle — order, validate, issue, install — will repeat more frequently. Automation becomes increasingly important: consider enabling auto-renewal for Let’s Encrypt certificates, and using the DNSimple API to automate installation.

Have more questions?

If you have any questions about the SSL certificate lifecycle or need assistance with your certificates, just contact support, and we’ll be happy to help.