Skip to content

Configuring default auto-renewal settings

As an administrator, you can configure global certificate auto-renewal default settings. These global settings are automatically inherited by applications that have auto-renewal enabled, though the global settings can be overridden at the application level.

Auto-renewal runs daily for all Venafi Control Plane accounts that have auto-renewal enabled for at least one application.

Auto-renewal is disabled by default on all new applications.


To configure global auto-renewal settings, your Control Plane user account must have either the System Administrator or PKI Administrator roles.

For detailed requirements for using auto-renewal and auto-provisioning, see Enabling and configuring certificate auto-renewal and auto-provisioning.

To configure auto-renewal and auto-provisioning

  1. Sign in to Venafi Control Plane.
  2. Click Policies > Certificate Lifecycle.
  3. Click Certificate Auto-Renewal and Provisioning.
  4. Specify the auto-renewal window (in days).

    Any certificate with an expiration date within the auto-renewal window will be included when auto-renewal runs (assuming the certificate meets other eligibility criteria). This number can be overridden at the application level.

Did You Know?

Wondering what the Start Evaluating button is for? If you have administrative privileges, you can also manually run auto-renewal and provisioning anytime.

  1. (Optional) Click Run Now to renew and provision eligible certificates immediately.

After completing these steps, Venafi Control Plane will automatically renew and provision eligible certificates.

Notes about certificate auto-renewal scans

Scans are done daily for eligible certificates that are within the renewal window.

  • If a renewal for an eligible certificate fails, the next daily scan will attempt to renew it since it's still within the renewal window.

  • If a certificate renewal is pending from a previous scan, a new renewal for it won't be initiated. A pending renewal may be awaiting a workflow approval or pending certificate authority action. In such cases, a second renewal attempt is not made.

  • When an eligible certificate is linked to multiple applications with auto-renewal enabled, the application with the greater expiration threshold initiates the renewal.

Daily scans won't occur under the following conditions: