Ask a Question

How do I replace an SSL Certificate without the Challenge Phrase?


NOTE: If you have a Symantec Trust Center account, see Method 2 below
To replace your certificate when you cannot remember the Challenge Phrase, follow these steps:

Fax a manual revocation letter on your company letterhead to Symantec. Click on the "Symantec Certificate Revocation Request.oft" file at the bottom of the page.  Instructions for filling out the revocation letter are as follows:  
  1. Label the subject as "Revoke/Replacement". 
  2. The Common Name/Web site address of the certificate (for example, 
  3. Your request and the reason for the revocation (choose from the following reasons):
  • Lost, corrupt, or mismatched Private key  
  • Challenge Phrase not available  
  • Challenge Phrase does not work
  1. Change to server software brand. 
  2. Change to server host/key security. 
  3. Upgrade to key encryption strength. 
  4. Certificate type (Secure Site (Server) Certificate or Secure Site Pro (Global) Certificate). 
  5. The server software vendor you are using (for example, Microsoft IIS 6.0, Apache, iPlanet Web Server, and so on). 
  6. Signature of the Technical or Organizational Contact on the initial enrollment.  
  7. Fax the letter to 1-650-961-8870. The revocation process occurs within 24 hours of receiving the fax.

Replace the certificate

Once the revocation status of the certificate indicates "Revoked", follow these steps:  
  1. Log into Symantec Trust Center.  
  2. Enter the Common Name, order number, or serial number of the certificate you want to replace. 
  3. Click Search. 
  4. Click the name of the certificate you want to replace. Ensure that the status of the certificate displays "Revoked". 
  5. Click Replace.
  6. Generate a new Certificate Signing Request (CSR) from your Web server with the same certificate naming values that were specified in the original CSR. The values are case and space sensitive. 
    NOTE:  Click here for instructions on generating a CSR
If you have created a Symantec Trust Center account, follow the steps below:  
  1. Click here to log into your Symantec Trust Center account.
  2. Enter your Username and Password and click Sign In. Click here if you do not remember your Password
  3. After successfully logging into your account, the main window will display a list of recent certificate orders.
  4. To select the certificate from the list, choose the corresponding radio button next to the certificate you wish to replace. 
  5. Under the Order Summary tab, Available Actions section, click the Replace link towards the bottom of the page.
  6. There are 3 steps to follow on the next page:
    1. Select the server platform
    2. Generate the CSR if you haven't done so already. If the CSR was already generated, proceed to the next step
      Click here for instructions on generating a CSR on your Web server 
    3. Paste in the CSR in the text box
  7. In the Signature Hash Algorithm section, leave as default as recommended unless other hash algorthim is needed.
  8. In the Certificate Transparency section, leave as default.
  9. Click on Submit CSR.
  10. To check the status of your order, log into your Symantec Trust Center account. 
    NOTE: Typical processing time for a replacement certificate is within 24 hours. An email confirmation will be sent within one hour of submission.