Buy or Renew a SSL Certificate Easily

As we all know, security is the biggest source of hassle and frustration in using internet sites. Well, it's worse if you are trying to create a web site. What I am talking about here is the SSL security certificate process. Buying and installing a new SSL certificate manually can be extraordinarily difficult, leading you througth what I call "Complexity Hell". Renewing or Reissuing one is just as bad, if not worse.
So the intention of this article is to guide you through an easy method to buy or renew an SSL Certificate. It is specific to those who use Namecheap Hosting, since they have a very good, if somewhat hidden, purchase/renewal app. Other hosting providers likely have something similar.
I will refer to this as the "Easy Renewal" tool

But first, some clarification about dealing with SSL Certificates.

One supplier of SSL Certificates is Comodo. Namecheap uses this company for its SSLs. Two common SSL Certs from Comodo are "PositiveSSL" and "EssentialSSL". The Positive SSL is about half the price of the EssentialSSL. For simple web sites, even those who have some "e-commerse" (shopping carts and the like), the PositiveSSL Certificate is plenty. These two SSL certs are "type "DV" (Domain Validation).
More elaborate (and expensive) types are "OV" (Organization Validation) and "EV" (Enterprise Validation).

You can usually purchase SSL certificates for 1 year or up to 5 years.

"Renew". You can renew an existing SSL by buying another one to replace it. It is best to wait until the SSL is under 30 days before expiration. This way, the remaining time left on the existing one will carry over, whereas you may lose the remaining time if renewed prior to the 30 day expiry.

"Reissue". If you have a multi-year SSL, you can reissue it each year. But often this "reissue" process involves going through the "Complexity Hell" method.

Notes specific to Namecheap. You can use the Easy Renewal tool to renew, but not to reissue, your SSLs (as of March 2026). You can reissue multi-year SSLs through Namecheap for "free", but you're faced with the "Complexity Hell" process. The the "easy renewal" tool only works for 1 year SSLs, according to Namecheap's Youtube video, 1/2023.
The easy renewal tool is in your "cPanel". For those who are new at this sort of thing, "cPanel" is one of several industry-wide methods of handling various aspects of your web site. For example, you upload your web pages using cPanel. cPanel is independent of the Hosting site.

So the upshot is this:
If you want to have a hassle-free, inexpensive way to maintain SSL Certificates, and you use Namecheap as your Hosting Provider, buy a PositiveSSL and renew it each year using Namecheap's Easy Renewal tool.
This article explains how.

NOTE: SSLs are about to go to a 200 day cycle instead of the current 1 year cycle. I don't know how this will be handled. Recent Namecheap articles suggest that they will provide an automated method to service their renewal. That is, you can in principle purchase 1 to 5 year SSLs and use this method to reinstall them every 200 days. If that is really the case, and if the reissue is no charge, then you can maintain your SSLs without the hassle of manual methods. Nonetheless you might find this article to greatly help you buy your first SSL.

Buying or Renewing an SSL Certificate through Namecheap.

1 Buying an SSL for the first time, or buying a PositiveSSL to replace a more expensive one starts here. (Go to Section 4 if you are renewing). To find the page for ordering SSL Certs: From your "Dashboard", Click Security. . .SSL Certificates.	2 You are taken to the Namecheap SSL purchase page. Note that the SSL Certs available here are actually Comodo SSLs, and have the Comodo names. Prices are in Canadian Dollars. 1 Canadian Dollar equals approximately 0.75 U.S. Dollar. NOTE: As mentioned above, buy the 1-year, not multiple years. Why? Because the EasySSL tool only supports 1-year SSLs. Also, buy the PositiveSSL. It is a "DV" (Domain Validation) SSL, with 2048-bit encryption, and is less than half the price of the EssentialSSL.

3 Here's the receipt. Note that it has a "Manage" button - may say "Install". Do not use this link! You will be led to the Complexity Hell version. Go instead to "cPanel" and use the "Easy SSL Tool". (Next images)	4 (Buying a new SSL continues here. Renewing an existing SSL starts here.) New to Namecheap? Can't find a big button called "cPanel"? That's because it's somewhat hidden! In your "Dashboard", hover over the icon to the right of the house. Select Go to cPanel. What is "Stellar"? It's Namecheap's name for your hosting plan. (This name may differ).

5 In Tools, Select NamecheapSSL	6 Here's the tool main page. Select Sign in with Namecheap. If you are already signed in, it "should not" ask for an additional sign-in.

7 The tool shows all the SSLs available for installation. Click Install. Yes. This install is safe!	8 The next panel prompts for replacing your existing SSL Cert. Click Yes, Replace.

9 Here's the pesky CSR! (Certificate Signing Request). Why "pesky"? See my take on the manual process below! The EasySSL Tool will place it in the Secret Location that manual processes don't make obvious. The tool will also handle the "DCV" (Domain Control Validation) file placement as well. Click Install Certificate.	10 That's it!!! No archane additional steps that only Superheros can follow! You can see the current "EssentialSSL" and the new "PositiveSSL". Give it about 20-30 minutes. Then you can click Sync. When the process completes, you will see the next image.

11 The new SSL Certificate is now active.
	NOTE: When you purchase a new SSL from Namecheap, you "should" get two emails from Comodo/Sectigo: One email contains: the CSR (Certificate Signing Request), in text form(!) an attachment with a ZIP file containing: my_blog_com.ca_bundle (where "my_blog_com" is the name of your web site). my_blog_com.crt The placement of these files is handled automatically by the Easy SSL Tool. The next email contains a "COMODO SSL TrustLogo". It can be displayed on your Home page. if desired.

Some Notes on the Manual ("Complexity Hell") Process

Even though Namecheap has a very good "Easy SSL" tool, many links on their site or in their email notifications leads to the manual procedures, aka "Complexity Hell".
Why is that? I finally began to understand that Namecheap (and likely other hosting services), allows for the SSL Certs being purchased elsewhere. It was this email instruction that made this all clear:

SSL Certificates:
If you've purchased an SSL certificate, you will need to enable the SSL on your server. However, if you purchased a renewal PositiveSSL or EssentialSSL for a domain on Namecheap Shared Hosting, it should be installed automatically within an hour of the purchase.

So that probably accounts for the conflicting instructions/links to the installation process. Nonetheless, even if you purchase an SSL through Namecheap, you are still not directed to the "EasySSL" tool. See step 3 above: "Do not use this link!"

So, how bad is the manual procedure, and why do I keep dissing it? That's because it's one of "those" sessions with high tech: You try to follow documentation that does not really tell you what you really have to do, leading to many failed steps, until you just keep trying things until it finally works. . . But you have NO idea what you just did that actually did work, so that you can't even make decent notes for future reference!

So here's a step-by-stumble sample of the manual process.

This example is my "EssentialSSL from 2023.
"Abandon all hope, ye who press MANAGE". . .

I was led here. It assumes that you know what the CSR (Certificate Signing Request) is, and futher, that you have actually procured one.
So this is NOT step 1, even though the green circle is labeled "1 / 3" (step 1 of 3)
Do the next two steps first.

After I found out the what actual sequence really is(!), I went to the "Security" tab on my dashboard and selected the "SSL/TLS" button.

In the SSL/TLS form, just take the default and select "Save". NOW you can find the form shown above, labeled "1 / 3" and paste your CSR file into it.

This is the "Domain Control Validation". It is labled "2 / 3" (step 2 of 3). You are being asked to prove that you are the Domain (web site) owner.
Clicking the down arrow on "DCV Method" gave these 3 choices:
- "Use a CNAME record". This had about 5 pages of incomprehensible instructions.
- "Upload a Validation File". Since I had been down this road before, I knew this was the easiest choice.
- "Send Email". This led to a page where I could NOT enter an email address!
So choose "Upload a validation file". Click "Next".
Notice that it has a link "How to complete DCV".

This shows the top part of a large form titled "EssentialSSL/ PositiveSSL for my_blog.com", This is from the documentation. The real page does not have the blue dots.
Clicking "Download file" might install the file on your site's main directory. If not:
- in cPanel, click on "File Manager". - go to "public_html".
- Create a ".well-known" directory.
- Go to the ".well-known" directory.
- Place the "pki-validation.txt" file inside the ".well-known" directory. Note that the .well-known directory might already have other pki-validation.txt files from prior SSL renewals. You can leave these.
Note that there is a link "Guide: How to get a DCV file". The documentation here does NOT match the documentation from the link shown in the image above, titled "How to complete DCV"!

Here's "Step 3 / 3", although it may have taken you 10 steps to get here.
Just click "Submit"

Clicking "Submit" above "should" yield this page. It also "should" yield a Winzip archive (my_blog_com.zip) with three files:
- "my_blog_com.ca-bundle"
- "my_blog_com.crt"
- "my_blog_com.p7b"
It shows the CSR (Certificate Signing Request") file also. It looks like this:
----BEGIN CERTIFICATE----
AgEWF2h0dHBzOi8vc2VjdGlnby5jb20vQ1BTMAgGBmeBDAECATCBhA. . .
. . . (about 20 lines of similar text). . .
-----END CERTIFICATE-----

You're finished! You have passed the "Complexity Hell" gauntlet. If the steps above are confusing, that's because of the reasons I have outlined above: I did all this, but really have NO idea how I got to some of those pages! To write this article, it took every bit of 8 hours to try to sort through all my desparate notes on the events that transpired on my two journeys through the gauntlet!
Caution: If you are (trying) to navigate the gauntlet, BE CAREFUL. Why? Because it can lead to forms that involved purchasing another SSL!
All of this is why I am more than willing to pay for a "renewal" of a PositiveSSL (about 12 bucks) each year, and use the EasySSL to install it.