Enabling certificate auto-renewal and provisioning¶
Learn how to enable and configure the auto-renewal and auto-provisioning features for certificates. These settings help to automate the lifecycle management of certificates, reducing the overhead associated with manual operations.
Auto-renewal runs daily. All Venafi Control Plane accounts that have auto-renewal enabled for at least one application are evaluated first, and then all certificates are scanned and considered for auto-renewal.
Auto-renewal is disabled by default on all new applications.
Approval workflows apply when certificates are auto-renewed
If an eligible certificate is associated with an application, issuing template, or certificate authority for which an approval workflow is configured, the auto-renewal process will be triggered, but the renewed certificate will still go through the approval workflow.
Prerequisites¶
To use auto-renewal, make sure you meet the following minimum requirements:
- Your Control Plane user account must have at least the Resource Owner role.
- At least one VSatellite installed so that private keys can be created using Automated Secure Keypair.
- You must enable auto-renewal (see the following procedure).
Certificates you want auto-renewed must meet all of the following requirements:
- Be associated with at least one application that has auto-renewal enabled.
-
Fall into one of the following categories:
-
Previously issued certificates with existing CSRs: The certificate has been issued at least once through Certificate Manager - SaaS, and auto-renewal will reuse the attributes from its existing CSR.
-
Newly discovered or ingested certificates without CSRs: The certificate has not been issued through Certificate Manager - SaaS, so there is no existing CSR. In this case, auto-renewal uses the metadata from the certificate itself and applies only the attributes from the single associated issuing template and application.
Important
If you assign a new issuing template or application to a certificate that already has an existing CSR, the auto-renewal process will not use the new assignments. The existing CSR will continue to dictate the renewal attributes.
-
-
Have an expiration date within the configured auto-renewal window.
To use auto-provisioning, you must also meet the following additional requirements:
- The certificate must be associated with a either a machine or cloud keystore (AWS Certificate Manager, Azure Key Vault, or Google Cloud Platform) that has been set up to provision certificates.
- You must enable auto-provisioning (see the following procedure).
To enable and configure auto-renewal and auto-provisioning¶
- Sign in to Certificate Manager - SaaS.
- Click Applications.
- Click the name of the application you want to configure.
- Click the Auto-renewal tab.
- Toggle the Certificate Auto-Renewal switch.
-
Specify the certificate renewal window:
- Inherit from global configuration: Select this option if the number of days specified meets your needs.
- Configure manually: Select this option and enter (in days) your custom interval for auto-renewal (and optional provisioning).
What does the renewal window mean?
Certificates that have an expiration date that is within the number of days you specify will be included in the next auto-renewal run, assuming those certificates meet the other eligibility requirements.
-
(Optional) Select Auto-provision certificates after renewal if you want Control Plane to provision your certificate automatically once the renewal is complete.
Note
The certificate must be associated with a either a machine or cloud keystore (AWS Certificate Manager, Azure Key Vault, or Google Cloud Platform) that has been set up to provision certificates.
-
When you're finished, click Save. You can close the configuration slide-out.
After completing these steps, the system should renew and provision certificates automatically when daily auto-renewal runs.