SSL Certificate Renewal Process
Overview
The WAF manages SSL/TLS certificates for your domain automatically. In most cases, certificate renewal happens without any action on your part. This document explains how the renewal process works and what can prevent it from completing.
Standard Certificates (Automatic Renewal)
For single-domain certificates (e.g., www.example.com), renewal is fully automatic:
- The WAF monitors your certificate’s expiration date
- Before the certificate expires, the WAF requests a new certificate from the certificate authority (GoDaddy/Starfield)
- The certificate authority verifies your domain by confirming that DNS still points to the WAF
- The new certificate is issued and installed automatically
- There is no downtime and no action required from you
Requirements for Automatic Renewal
Automatic renewal succeeds when:
- DNS points to the WAF — Your domain’s A record must resolve to the WAF IP address shown on your dashboard. If DNS was changed to point elsewhere, renewal will fail.
- No blocking CAA records — If your domain has CAA DNS records, they must include
godaddy.com. See CAA Records and Certificate Renewal.
What Happens If Renewal Fails
If renewal cannot complete (usually because DNS no longer points to the WAF), the existing certificate continues to work until it expires. You will see an amber indicator on your dashboard’s TLS/SSL Certificate page.
To fix a failed renewal:
- Verify your DNS A record points to the WAF IP shown on your dashboard
- Check for CAA records that might block GoDaddy — see Troubleshooting SSL Certificate Issues
- Contact us at support@expeditedsecurity.com and we will re-trigger the renewal
Wildcard Certificates (Manual Renewal)
Wildcard certificates (*.yourdomain.com) cannot renew automatically because they require a new DNS record for each renewal cycle.
When your wildcard certificate approaches expiration:
- We send you a renewal notification email with a new CNAME or TXT record
- You add the record to your DNS configuration
- The certificate authority verifies the record and issues a new certificate
- The new certificate is installed automatically
This process repeats annually. Each renewal requires a different DNS record, so watch for the renewal email each year.
See Wildcard Certificate Renewal for full details.
Checking Your Certificate Status
From Your Dashboard
Visit the TLS/SSL Certificate page on your WAF dashboard:
- Green — Certificate is active and valid
- Amber — Renewal is in progress or needs attention
- Red — Certificate has expired
From the Command Line
echo | openssl s_client -servername yourdomain.com -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Look at the notAfter date to see when the current certificate expires.
Certificate Timeline
| Event | Timing |
|---|---|
| Automatic renewal attempted | Before expiration (no fixed schedule — monitored continuously) |
| Wildcard renewal notification sent | ~30 days before expiration |
| DNS verification (wildcard) | 1–24 hours after DNS record is added |
| Certificate installation | Automatic once issued |
Need Help?
If your certificate is not renewing or you see warnings on your dashboard:
- Contact us at support@expeditedsecurity.com
- Book a Call at https://app.harmonizely.com/expedited/30-min