Skip to content

Renewing certificates


This feature is not yet available in the Next Gen certificate inventory. Please use the classic inventory until this feature is ported to the new page.

Venafi Control Plane streamlines certificate renewals, allowing you to renew certificates faster and with fewer errors. If the right conditions are met, a certificate can be renewed with just a couple of clicks, while maintaining important metadata, such as its associated tags.

If Control Plane doesn't have everything it needs, or if you want to change some of the data on a certificate renewal request, Control Plane helps you by pre-populating the certificate renewal fields with data from the existing certificate.

In addition to manually renewing certificates, you can also automate the renewal and provisioning of certificates using the auto-renewal and provisioning feature.

Maximizing certificate validity

To avoid system outages, it's essential to renew certificates before they expire. Typically, the validity of a renewed certificate extends one year from the date of issuance, which can result in the loss of remaining validity time on the old certificate. However, TLS Protect Cloud offers a feature that maximizes certificate validity for supported certificate authorities (CAs).

When you renew an existing certificate from a supported CA in TLS Protect Cloud, the validity of the new certificate extends one year beyond the expiration date of the certificate being renewed. Within Control Plane, both the old and new certificates remain linked and active, allowing you to download the new certificate without losing the remaining validity period of the old certificate. This benefit applies to all renewed certificates from supported CAs, regardless of whether they were issued directly through TLS Protect Cloud or imported manually.

Utilizing TLS Protect Cloud for certificate renewal ensures you receive the maximum possible value, as you retain the full validity period of the old certificate up to its expiration.

The following CAs support this feature to maximize certificate validity:

  • DigiCert
  • Entrust

When a certificate is nearing its expiration date, all you need to do is to renew the certificate. If the CA supports it, the certificate will renew immediately but will have an added validity period equal to the remaining time left on the certificate that was renewed.

If for some reason there is an error during the renewal process, the renewal will be processed as a new certificate request, and the extra validity period no longer applies.


To renew a certificate and extend its validity, your issuing template must use the same CA account used for the original issuance. If a different account is used, the new certificate will be issued with the standard validity period starting from the date of issuance.


TLS Protect Cloud can only maximize certificate validity for certificates that are still valid. This feature does not apply to certificates that are expired or revoked.

What's next

Manually renew a certificate or set up certificate auto-renewal