SSL isn't forever: valid from 90 days to 2 years, then must be renewed. On the day of expiry browsers show "NET::ERR_CERT_DATE_INVALID" and the site barely works. Clients leave instantly, search rankings drop, money is lost. A proper renewal strategy is the foundation of worry-free business.
When to renew
Renewal starts at least 30 days before expiry. That gives enough time for validation, installation, testing and solving any issues. By 7 days it must already be working, never leave it for the last day. Let's Encrypt recommends 30 days, paid certificates 30-60.
How automatic renewal works
Let's Encrypt and modern providers support auto-renewal via ACME. Certbot or acme.sh run in the background on the server, fetch a new certificate 30 days before expiry and install it in the web server. No intervention needed. If automation fails (DNS issue, validation problem), notifications come via email or Telegram.
Manual renewal process
Large certificates (EV, OV, multi-domain) renew manually. First generate a new CSR (Certificate Signing Request) on the server. Send it to the provider, pass validation (company documents or domain confirmation), receive the new certificate. Replace the old one in server config, restart the web server.
Old vs new key
Two options on renewal: keep the old private key or generate new. Security-wise generating new every time is correct — if the old leaked, the new certificate won't fit it. But for pinning-based apps this can be a problem. Usually changing the key once a year is recommended.
Sayt.uz practice
SSL renewal in Sayt.uz panel is fully automated. Free certificates renew every 60 days in the background. Paid ones get reminders 30, 14, 7 days ahead via email, Telegram, SMS. Pricing: free Let's Encrypt — 0 UZS, paid DV from 350,000 UZS, OV from 800,000 UZS, EV from 2,500,000 UZS per year. Discount when bundled with hosting.