Multi-year certificate
How does buying a multi-year SSL Certificate work?
In 2020, major browser companies declared that they would no longer support SSL Certificates with an expiry date of more than 398 days (i.e. 1 year plus a grace period). Certification Authorities, like our partner Sectigo, are therefore unable to continue offering 2-year SSL certificates, since they would be refused by the browsers used by a large proportion of the Internet community.
While this does indeed enhance the security of the Internet as a whole, it is a problem for many website owners. Previously, website owners were able to buy certificates SSL on a long-term basis, at a more attractive price than having to renew their certificate every year.
This is why Gandi has teamed up with Sectigo, our Certification Authority Partner, to offer you multi-year SSL Certificates. With this multi-year option, you can take advantage of the discounts offered by paying several years in advance, while also complying with the requirements imposed by browser companies by allowing your certificate to be validated every year.
Warning
Multi-year subscriptions still require you to renew your SSL certificate EVERY year, free of charge. You will receive a reminder email asking you to complete the various steps required to renew your certificate, 30 days before the current certificate expires. These emails will explain how to re-validate your certificate. You can also refer to the SSL Certificates section of your account at any time to check the current status of your SSL Certificates, as well as the renewal process for Certificates expiring soon.
How to buy a Multi-Year Certificate
Follow the normal SSL certificate creation procedure and choose the "2-year" option when prompted:
https://docs.gandi.net/en/ssl/create/create_certificate.html
How to re-issue a Multi-Year Certificate
Important
When renewing a multi-year certificate, your old certificate will be automatically revoked 48 hours after the new certificate has been validated.
A multi-year certificate is just a way of allowing you to pay several years in advance in order to take advantage of a discount. Certificates remain valid for one year, and reissue is a free, simplified renewal. HOWEVER, if you let your certificate expire without reissuing it ON TIME, your certificate will be revoked and you won't be able to reissue or renew it. Any additional years will be lost.
These are the steps required to validate your SSL certificate every year after the first. When you reissue a certificate, you are in fact carrying out a special kind of regeneration of your certificate to replace certain critical components that could potentially pose security problems. Please follow the steps below:
- Log in to your Gandi account, then go to "SSL CERTIFICATES" in the left-hand menu.
- Click on the name of the certificate to access its information page. You can also click on the menu ( ፧ ) to the right of the desired certificate and select "Regenerate".
- Click on the "Regenerate" button.
- Follow the on-screen instructions to complete the regeneration of your certificate.
The instructions on regenerating your certificate will guide you through the various steps involved in regenerating or creating a certificate. For example, if you're using an automatically generated certificate, you won't need to take any further steps to regenerate it. If you've been through the validation process, you'll need to go through it again.
Note
If your certificate is for a domain that is not registered with Gandi, or if you have registered it using the "manual" method, do not choose automatic regeneration since this is reserved for certificates issued to domains that are not registered with Gandi. As such, you won't be able to download and install it.
Important
If you choose a "manual" regeneration, remember that you will need to download the new SSL certificate and install it on your servers, using the private key generated when the new CSR was created.
How to renew a Multi-Year Certificate
The process for renewing a Multi-Year Certificate depends on the type of certificate you have purchased. Go to the "SSL Certificates" section of your account and search for the certificate you wish to renew. Click on the certificate and instructions on how to proceed will be displayed.