Login
Menu

How to Remove an SSL Certificate (Without Breaking Your Site)

Removing an SSL certificate sounds like a one-step task: delete a file, reload the server, done. In practice, removing a certificate without preparing the rest of your configuration is one of the fastest ways to take a working site offline. The moment the certificate is gone, your server can no longer complete the TLS handshake, and any browser that tries to reach `https://` gets a connection error instead of a page.

This guide explains *why* you would legitimately remove a certificate, how to do it cleanly in every common environment, and the critical safeguards (HTTPS redirects and HSTS) you must handle first so visitors are not pushed toward an endpoint that no longer answers.

Key Takeaways
• Removing an SSL certificate stops a site from serving HTTPS; visitors see “Not Secure” warnings or hard connection failures.
• In almost every case you should replace a certificate, not simply remove it and leave the site on plain HTTP.
• If the site has HTTPS redirects or HSTS, remove or disable those *first*, otherwise browsers force users to a broken HTTPS endpoint.
• Removal steps differ by environment: cPanel, Apache, Nginx, certbot, and Windows IIS each have their own process.
• Always reload or restart the web service after editing configuration so changes take effect.

Why would you remove an SSL certificate at all?

Most certificate work is *renewal* or *replacement*, not deletion. But there are legitimate reasons to actively remove one:

  • Replacing it with a different certificate — for example, switching from a self-signed or single-domain cert to a wildcard or a different Certificate Authority.
  • Removing a wrongly-installed certificate — a cert issued for the wrong hostname, installed on the wrong vhost, or uploaded with a mismatched private key.
  • Decommissioning a site or subdomain that is being retired entirely.
  • Troubleshooting — clearing out a misconfigured cert/chain to install a clean one and rule out corruption.

If your goal is cleaning up expired certificates across multiple systems rather than actively uninstalling a working cert, that is a related but distinct task. See for the cleanup-focused workflow.

The mistake that breaks sites: the certificate is rarely the only thing pointing visitors at HTTPS. Most modern sites also have a 301 redirect from HTTP to HTTPS and frequently an HSTS header that tells browsers “always use HTTPS for this domain, and do not ask.” If you remove the certificate but leave those in place, every visitor — including ones who type `http://` — is forced to an HTTPS endpoint that can no longer complete a handshake. The result is a site that looks *completely down*, not merely “insecure.” Remove or disable the redirect and HSTS policy first, or, better, replace the certificate so neither ever has to break.

What actually happens when the certificate is gone?

Once a server has no valid certificate bound to port 443:

  • Direct HTTPS requests fail. Browsers report `ERR_SSL_PROTOCOL_ERROR`, `SSL_ERROR_NO_CYPHER_OVERLAP`, or a connection reset.
  • HTTP still works *only if* the site is configured to serve plain HTTP and has no forced redirect.
  • Forced redirects become traps. A `RewriteRule` or `return 301 https://…` sends users to the broken HTTPS endpoint.
  • HSTS makes it worse and sticky. Browsers that previously saw an HSTS header refuse to load HTTP at all, and the policy is cached client-side for the `max-age` you set — clearing the cert does not clear that memory.

This is why “remove” is almost always the wrong final state. Replace the certificate, or deliberately revert the site to HTTP by also removing redirects and HSTS.

How do you remove an SSL certificate in each environment?

The table below summarizes the core action per environment. Detailed steps follow.

Environment Where to remove Core action Apply change
cPanel SSL/TLS → Manage SSL Sites Click Uninstall for the domain Automatic
Apache vhost / SSL conf file Remove or comment `SSLCertificateFile` etc.; disable the SSL site `systemctl reload apache2` / `httpd`
Nginx server block Remove `ssl_certificate` / `ssl_certificate_key` or the `listen 443` block `nginx -s reload`
certbot (Let’s Encrypt) certbot store `certbot delete –cert-name ` Edit/reload server config
Windows IIS IIS Manager → Bindings / Server Certificates Remove the https binding, then the certificate Automatic on binding change

Removing an SSL certificate in cPanel

cPanel makes removal a point-and-click operation:

  1. Log in to cPanel and open SSL/TLS under the Security section.
  2. Click Manage SSL sites.
  3. Scroll to the domain whose certificate you want to remove.
  4. Click Uninstall.

cPanel unbinds the certificate from the domain immediately. If AutoSSL is enabled, be aware it may re-issue a certificate on its next run — disable AutoSSL for that domain if you truly want it to stay off HTTPS.

Removing an SSL certificate in Apache

Apache reads the certificate from directives inside a virtual host. Open the relevant config (often `/etc/apache2/sites-available/your-site-le-ssl.conf` or an entry in `/etc/httpd/conf.d/`) and remove or comment the certificate directives:

“`apache

“`

To take the site off HTTPS entirely, disable the SSL vhost and reload:

“`bash sudo a2dissite your-site-le-ssl.conf sudo systemctl reload apache2 “`

On Red Hat-family systems use `sudo systemctl reload httpd` and edit the conf file directly. Test the config first with `sudo apache2ctl configtest`.

Removing an SSL certificate in Nginx

In Nginx the certificate lives in a `server` block. Edit the site file (for example `/etc/nginx/sites-available/your-site` or `/etc/nginx/conf.d/your-site.conf`) and remove the SSL directives:

“`nginx

“`

If you want the site fully off HTTPS, remove or comment the entire `listen 443 ssl;` server block. Then validate and reload:

“`bash sudo nginx -t sudo nginx -s reload “`

If you had a `return 301 https://$host$request_uri;` redirect in the HTTP block, remove that too — otherwise visitors are still bounced to the now-dead HTTPS port.

Removing a Let’s Encrypt certificate with certbot

certbot tracks certificates by name and stores renewal config separately from your web server. To list and delete:

“`bash sudo certbot certificates sudo certbot delete –cert-name your-site.com “`

`certbot delete` removes the certificate files *and* the renewal configuration, so the cron/systemd timer stops trying to renew it. It does not edit your Apache or Nginx config — you must remove the `ssl_certificate`/`SSLCertificateFile` references yourself, then reload the web server.

Removing an SSL certificate in Windows IIS

In IIS, the certificate is attached through a site binding:

  1. Open IIS Manager and select the site.
  2. Click Bindings in the Actions pane.
  3. Select the https binding (port 443) and click Remove.
  4. To delete the certificate object itself, go to the server node, open Server Certificates, select the cert, and click Remove.

Removing the binding stops the site from serving HTTPS immediately. Also review URL Rewrite rules for any HTTP-to-HTTPS redirect and disable it.

Should you replace the certificate instead of removing it?

In the large majority of cases, yes — replace, do not remove. A site that drops from HTTPS to HTTP loses its padlock, triggers “Not Secure” browser labels, can break mixed-content assets, and may damage search visibility and user trust. The clean workflow for *replacing* a certificate is:

  1. Obtain and stage the new certificate, private key, and chain.
  2. Install the new certificate alongside or over the old one.
  3. Update the server directives to point at the new files.
  4. Reload the web service and verify the new cert in a browser.
  5. Only then remove the old certificate files.

This keeps HTTPS continuous, so your redirects and HSTS policy never point at a broken endpoint.

DarazHost: clean SSL management without the guesswork

Managing certificates by hand is exactly where sites break. DarazHost hosting plans include cPanel-based SSL management, so you can install, replace, or cleanly remove certificates from a single SSL/TLS panel — no editing vhosts by hand and hoping you got the reload right.

  • Free AutoSSL keeps valid certificates provisioned and renewed automatically, so most users rarely need to touch a certificate at all.
  • VPS plans with full root access give you direct control over Apache, Nginx, and certbot when you need to remove or swap certificates manually.
  • 24/7 technical support is available specifically for SSL and HTTPS issues — including helping you replace rather than break a certificate, and untangling stuck HSTS or redirect problems.

If you are removing a certificate as part of a migration or fix, our team can make sure HTTPS stays continuous from start to finish.

How do you handle redirects and HSTS before removing a certificate?

This is the step most guides skip, and it is the one that determines whether your site stays reachable.

  • HTTP-to-HTTPS redirects: find and remove them. In Apache this is a `RewriteRule` or `Redirect permanent` in the HTTP vhost; in Nginx it is a `return 301 https://…`; in IIS it is a URL Rewrite rule; in WordPress it may be a plugin or a hardcoded site URL. See to understand exactly where yours lives.
  • HSTS: remove the `Strict-Transport-Security` response header from your config. Note that browsers cache the policy, so existing visitors stay forced to HTTPS until the `max-age` expires. If you must reverse HSTS quickly, serve a new header with `max-age=0` *while HTTPS still works*, then remove the certificate afterward. Removing the cert first leaves no way to deliver the reset header.

The order matters: disable redirects and reset HSTS while the certificate is still valid, confirm the site loads over HTTP, and only then remove the certificate.

Frequently asked questions

Will removing an SSL certificate take my website offline? It takes the HTTPS version offline. The site can still answer over plain HTTP *if* there is no forced redirect and no cached HSTS policy. If either exists, visitors are pushed to a now-broken HTTPS endpoint and the site appears fully down.

Do I need to remove the certificate before installing a new one? No. You should install the replacement *first*, point your server directives at it, reload, and verify — then remove the old certificate. This keeps HTTPS continuous and avoids any downtime window.

Does `certbot delete` also remove my Apache or Nginx configuration? No. `certbot delete` removes the certificate files and the renewal configuration only. You must manually remove the `SSLCertificateFile` / `ssl_certificate` references from your web server config and reload the service.

Why does my site still force HTTPS after I removed the certificate? Almost always HSTS or a leftover 301 redirect. HSTS is cached in the browser for its `max-age`, and a redirect rule lives in your server config independent of the certificate. Remove the redirect and reset HSTS (ideally before removing the cert).

Is it safe to leave a site on HTTP after removing the certificate? It is technically possible but not recommended. Plain HTTP transmits data unencrypted, triggers “Not Secure” browser labels, and can harm search rankings and trust. In nearly all cases, replace the certificate instead.

About the Author
Gary Belcher
Gary Belcher is an accomplished Data Scientist with a background in computer science from MIT. With a keen focus on data analysis, machine learning, and predictive modeling, Gary excels at transforming raw data into actionable insights. His expertise spans across various industries, where he leverages advanced algorithms and statistical methods to solve complex problems. Passionate about innovation and data-driven decision-making, Gary frequently contributes his knowledge through insightful articles and industry talks.

Leave a Reply