Certificate Renewal Checklist: Emergency & Planned
Overview
Step-by-step checklist for both emergency (expired cert, outage) and planned certificate renewals across Nginx, Apache, IIS, load balancers, and Kubernetes.
Table of Contents
- Emergency Renewal: First 15 Minutes
- Planned Renewal Workflow
- Nginx Renewal Steps
- Apache Renewal Steps
- IIS Renewal Steps
- Load Balancer Updates
- Kubernetes cert-manager Renewals
- Post-Renewal Verification
Overview
When a certificate expires unexpectedly at 2 AM, you don’t want to be searching documentation or remembering syntax. You need a clear, tested procedure that gets services back online fast. Equally, planned renewals shouldn’t be stressful — they should be routine operations with verification steps that catch issues before they reach production.
This checklist covers both scenarios. The emergency section is designed for speed: identify the expired cert, generate or retrieve the replacement, deploy it, and verify — all within a target window of 15 minutes for a single service. The planned renewal section is more thorough, covering CSR generation, CA submission, staging validation, and coordinated deployment across multiple servers.
Each platform section (Nginx, Apache, IIS, AWS ALB, Kubernetes) includes the exact commands and file paths you need.
What’s Included
- Emergency triage procedure to identify which certificate caused the outage
- Platform-specific renewal commands for Nginx, Apache, IIS, and AWS/Azure load balancers
- Kubernetes cert-manager troubleshooting for failed automatic renewals
- Chain validation steps to catch missing intermediates before deployment
- Rollback procedures if the new certificate causes unexpected issues
- Post-renewal verification using curl, openssl s_client, and browser testing