How certificate renewal works

Whether you are having certificates renewed automatically or manually, it is important to understand how certificate renewal works.

When a certificate record is created in Trust Protection Platform, there are a couple of settings that affect the renewal behavior of the certificate. These settings can either be set by a policy that is applied to a certificate, or at the certificate level itself. These settings are:

  • Disable automatic renewal: By default, automatic renewal is enabled for certificates in Trust Protection Platform. If you want to disable automatic renewal, you can set this value to Yes.
  • Renewal window: This is the number of days before expiration that you plan to renew certificates. Many organizations pick a value between 30 and 90 days, to ensure there is time for all the necessary approvals and processes to ensure the renewed certificate is properly in place before the old certificate expires.

Remember that a certificate is an object with a finite lifespan. The process for how a certificate is renewed varies by CA, so check your CA's documentation on how this process works. Generally speaking, renewals don't just extend the validity date of the existing certificate. When you renew a certificate, you are actually getting a new certificate that has the same data as your old certificate, however the renewed certificate is a distinct object that needs to be downloaded and installed.

When you request a certificate, there is a transaction ID that is like an order number with the CA. Trust Protection Platform stores this transaction ID as a hidden field for the current version of the certificate. When you request a renewal, if your CA uses the Transaction ID field, the transaction ID is passed to the CA. This tells the CA that you are renewing a certificate that was issued by that CA previously.

This is important because many CAs use the transaction ID to extend the validity of a renewing certificate to ensure no time is lost when you renew a certificate early. The CA doesn't want you to wait until the last minute to renew your certificate, so many CAs will extend the expiration date to match the valid term of the prior certificate.

EXAMPLE  Suppose that you acquire a certificate in January 2022, and your certificate is valid for 12 months. The expiration date of the certificate will be January 2023. Let's say that in Trust Protection Platform the renewal window is set to 90 days. In October 2022, Trust Protection Platform is going to tell you it is time to renew your certificate. You create a CSR to reissue the certificate for another 12 months.

Two things can then occur:

  • If the CSR does not include the traction ID of the original certificate, the CA doesn't see this request as being a renewal, and it will treat it as a new request. Since this is a new request being submitted in October 2022, the expiration date will be October 2022. In this case, you will lose three months of value of the original certificate.
  • If the CSR does include the transaction ID of the certificate, the CA will recognize the request as a renewal, and will take into consideration the expiration date of the original certificate. The renewed certificate, even though it was submitted in October 2022 will be set to expire in January 2023.

Implications for renewing reverted certificates

Trust Protection Platform allows you to see historical versions of a certificate, so you can track or revert to a historical version. However, Trust Protection Platform only stores the transaction ID for the most recent certificate, not for historical certificates, so when you revert to a previous certificate, the transaction ID information is cleared. This means that if you revert to a historical version of a certificate, and then try to renew the certificate, there will be no transaction ID, and the CA will treat it as a new request. This means that if you may lose time on your certificates if you renew early.