Skip to content

Certificate Renewal

Certificate renewal is the process of issuing a new certificate to replace one that is approaching its expiry date. Renewing before expiry ensures that services relying on the certificate continue to operate without interruption. The Zaita platform supports both manual renewal and automated renewal triggered by expiry monitoring.

Why Timely Renewal Matters

X.509 certificates have a fixed validity period. When a certificate expires, clients that verify its validity will reject it — causing connection failures, authentication errors, and service outages. Expired certificates are one of the most common causes of avoidable outages in organisations that rely on TLS.

Renewing certificates before they expire eliminates this risk. Shorter certificate lifetimes (for example, 90 days) reduce the window of exposure if a key is compromised, but require more frequent renewal — making automation essential at scale.

How Certificate Renewal Works

Renewal in the Zaita platform creates a new certificate using the same or updated subject parameters as the original. The process:

  1. A new key pair is generated.
  2. A Certificate Signing Request (CSR) is created using the configured subject fields.
  3. The CSR is submitted to the same issuing CA as the original certificate.
  4. The CA issues a new certificate with a fresh validity period.
  5. The new certificate is stored in the platform inventory.
  6. If the original certificate was deployed to target systems, the new certificate is pushed to those same systems.

The original certificate remains in the inventory with its status unchanged until it expires or is explicitly revoked.

Renewal Methods

Manual Renewal

An authorised user navigates to the certificate in the inventory and initiates renewal from the certificate detail page. The platform handles the rest of the process — key generation, CSR creation, issuance, and deployment — without requiring the user to manage cryptographic operations directly.

Automated Renewal

The platform monitors the expiry dates of all managed certificates. When a certificate's remaining validity falls below the configured renewal threshold (by default, 30 days), the platform can automatically initiate a renewal and redeploy the certificate to any associated target systems.

Automated renewal requires:

  • The certificate to have been provisioned through the platform (not just discovered).
  • The issuing CA to be available and configured correctly.
  • If deployment is required, a connected Bridge and configured target systems.

ACME-Based Renewal

Certificates issued via the ACME protocol are renewed automatically by the platform's ACME client according to the renewal threshold configured in the ACME server settings. See Introduction to ACME for details.

Scope of Renewal

Renewal creates a new certificate. It does not:

  • Revoke the original certificate. The original remains active until it expires naturally.
  • Change the certificate's target system associations — those are inherited by the new certificate.
  • Affect other certificates issued to the same domain.

If you want to revoke the original certificate after renewal, do so explicitly via the Certificate Revocation workflow.

Renewal and Key Rotation

Each renewal generates a fresh key pair by default. This means the private key is rotated at every renewal cycle, which is the recommended practice. The new private key is stored securely in the Back Control Plane.

If you are downloading certificates for manual installation, retrieve both the new certificate and the new private key after each renewal.

Next Steps