Enabling certificate auto-renewal and provisioning¶
Learn how to enable and configure the auto-renewal and auto-provisioning features for certificates. These settings help to automate the lifecycle management of certificates, reducing the overhead associated with manual operations.
Auto-renewal runs daily. All Venafi Control Plane accounts that have auto-renewal enabled for at least one application are evaluated first, and then all certificates are scanned and considered for auto-renewal.
Auto-renewal is disabled by default on all new applications.
Approval workflows apply when certificates are auto-renewed
If an eligible certificate is associated with an application, issuing template, or certificate authority for which an approval workflow is configured, the auto-renewal process will be triggered, but the renewed certificate will still go through the approval workflow.
Prerequisites¶
To use auto-renewal, make sure you meet the following minimum requirements:
- Your Control Plane user account must have at least the Resource Owner role.
- At least one VSatellite installed so that private keys can be created using Automated Secure Keypair.
- You must enable auto-renewal (see the following procedure).
Certificates you want auto-renewed must meet the following requirements:
- Be associated with at least one application that has auto-renewal enabled.
-
Meet one of the following conditions:
-
Have an associated Certificate Signing Request (CSR), meaning the certificate has been issued at least once already through TLS Protect Cloud (in which case auto-renewal uses the attributes from the certificate's existing CSR in TLS Protect Cloud)
or
-
Be associated with at least one application that has auto-renewal enabled and that has only a single associated issuing template (in which case auto-renewal uses the attributes from the certificate and the associated issuing template).
-
-
Have an expiration date within the configured auto-renewal window.
To use auto-provisioning, you must also meet the following additional requirements:
- The certificate must be associated with a either a machine or cloud keystore (AWS Certificate Manager, Azure Key Vault, or Google Cloud Provider) that has been set up to provision certificates.
- You must enable auto-provisioning (see the following procedure).
To enable and configure auto-renewal and auto-provisioning¶
- Sign in to Venafi Control Plane.
- Click Applications.
- Click the name of the application you want to configure.
- Click the Auto-renewal tab.
- Toggle the Certificate Auto-Renewal switch.
-
Specify the certificate renewal window:
- Inherit from global configuration: Select this option if the number of days specified meets your needs.
- Configure manually: Select this option and enter (in days) your custom interval for auto-renewal (and optional provisioning).
What does the renewal window mean?
Certificates that have an expiration date that is within the number of days you specify will be included in the next auto-renewal run, assuming those certificates meet the other eligibility requirements.
-
(Optional) Select Auto-provision certificates after renewal if you want Control Plane to provision your certificate automatically once the renewal is complete.
Note
The certificate must be associated with a either a machine or cloud keystore (AWS Certificate Manager, Azure Key Vault, or Google Cloud Provider) that has been set up to provision certificates.
-
When you're finished, click Save. You can close the configuration slide-out.
After completing these steps, the system should renew and provision certificates automatically when daily auto-renewal runs.