Skip to content

Setting Up Certificate Renewal

This guide covers how to initiate a manual renewal and how to configure automated renewal for managed certificates. For background on how renewal works, see Certificate Renewal — Introduction.

Prerequisites

  • The certificate must have been provisioned through the platform (not just discovered).
  • You must have the Deployment Administrator, PKI Administrator, or Super Administrator role.
  • If automated deployment after renewal is required, a Bridge must be deployed and connected, and the certificate must have target systems configured.

Manual Renewal

Step 1 — Open the Certificate

  1. Navigate to CLM → Certificates.
  2. Locate the certificate you want to renew. Use the search or filter controls to find it by common name, status, or expiry date.
  3. Select the certificate to open its detail page.

Step 2 — Initiate Renewal

On the certificate detail page, select Renew Certificate.

A confirmation dialog shows:

  • The current certificate's Common Name, expiry date, and issuing CA.
  • A summary of the renewal parameters that will be used.

Review the parameters and select Confirm Renewal to proceed.

Step 3 — Monitor Renewal Progress

The renewal is processed asynchronously. The certificate detail page updates automatically as each stage completes:

Stage Description
pending Renewal has been queued.
processing Key generation and CSR submission are in progress.
issued The new certificate has been issued by the CA and stored in the inventory.
deploying The platform is pushing the new certificate to associated target systems via the Bridge.
complete Renewal and deployment are finished.
failed An error occurred. Details are shown on the detail page.

Once the status reaches issued or complete, the new certificate is available in the inventory under CLM → Certificates.

Configuring Automated Renewal

Automated renewal initiates the renewal process when a certificate's remaining validity drops below a configured threshold.

Step 1 — Set the Renewal Threshold

  1. Navigate to CLM → Policies.
  2. Open the policy that governs the certificate you want to configure, or create a new policy for the relevant domain.
  3. Set the Auto-Renewal Threshold field — for example, 30 days. The platform will initiate renewal when the certificate has 30 or fewer days remaining.
  4. Save the policy.

Step 2 — Ensure the Certificate Is Policy-Matched

For automated renewal to apply, the certificate must be matched by the policy. The policy must match the certificate's domain, and the certificate must be in active status.

Step 3 — Verify Target System Configuration

For automated renewal to also trigger automated deployment, ensure:

  • The certificate has at least one target system associated.
  • The associated target system has a connected Bridge.

If no target systems are associated, the renewed certificate is stored in the inventory but not deployed automatically.

Renewal for ACME Certificates

ACME certificates are renewed automatically by the platform based on the renewal threshold configured on the ACME server. No additional configuration is required for ACME renewal — the ACME client handles key generation, CSR submission, and issuance automatically.

See Introduction to ACME and Managing ACME Servers for details.

After Renewal

After renewal completes:

  1. Verify the new certificate is active in the inventory — confirm the expiry date and serial number are as expected.
  2. If deployment was automated, confirm the deployment status shows deployed for all target systems.
  3. If you installed the certificate manually, download the new certificate (and private key if required) and replace the old files on the target system.
  4. Optionally, revoke the old certificate if it should no longer be trusted. See Certificate Revocation.

Next Steps