Renewing Certificates
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Networks Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Networks Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from DigiCert
- Importing Certificates from EJBCA
- Importing Certificates from GlobalSign Atlas
- Importing Certificates from GlobalSign MSSL
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account On or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
Renewing Certificates
Next-Gen Trust Security streamlines certificate renewals, allowing you to renew certificates quickly while preserving important metadata, such as associated tags.
When possible, a certificate can be renewed with minimal input. If additional information is required, Next-Gen Trust Security pre-populates renewal fields using data from the existing certificate so you can review or update values before completing the request.
In addition to manual renewal, you can automate certificate renewal and provisioning using the auto-renewal feature.
Maximizing Certificate Validity
To reduce the risk of outages, it’s important to renew certificates before they expire. In some cases, renewed certificates can retain unused validity from the original certificate.
For supported certificate authorities (CAs), Next-Gen Trust Security renews certificates in a way that preserves remaining validity from the existing certificate. When this behavior is supported, the renewed certificate becomes valid beyond the original expiration date, allowing both certificates to remain active for a short overlap period.
This behavior helps ensure that you do not lose remaining validity time when renewing early.
The following CAs support this behavior:
- DigiCert
- Entrust
Important: To preserve remaining validity during renewal, the issuing template must use the same CA account as the original certificate. If a different CA account is used, the renewed certificate uses the standard validity period starting from the issuance date.
Note: Validity preservation applies only to certificates that are still valid at the time of renewal. It does not apply to expired or revoked certificates.
If a renewal attempt cannot be completed successfully, the request is processed as a new certificate issuance and remaining validity is not preserved.