This page is for product admins managing PKI infrastructure. If you’re looking to renew end-entity certificates, see Applications.
Before You Renew
- If renewing an intermediate CA chained to an Infisical CA, Infisical will automate the process of generating a new certificate for you.
- If renewing an intermediate CA signed by an external CA provider (e.g., Venafi, Microsoft ADCS), you can configure auto-renewal to automate the process. See Venafi auto-renewal or Microsoft ADCS auto-renewal.
- If renewing an intermediate CA chained to an external parent CA via manual import, you’ll need to generate a new certificate from the external parent CA and manually import it back.
Renew a CA
- Infisical UI
- API
1
Navigate to the CA
Go to Certificate Manager → Certificate Authorities → Internal and select the CA you want to renew.
2
Start renewal
Click Renew CA on the left side of the CA detail page.
3
Set new validity
Input a new Valid Until date for the renewed CA certificate and click Renew.
The new Valid Until date must be within the validity period of the parent CA.
FAQ
Does Infisical support CA renewal via new key pair?
Does Infisical support CA renewal via new key pair?
At the moment, Infisical only supports CA renewal via same key pair. We anticipate supporting CA renewal via new key pair in the coming month.
What happens to certificates issued by the old CA certificate?
What happens to certificates issued by the old CA certificate?
Certificates issued before the renewal remain valid until their own expiration date. The CA’s private key stays the same, so the chain of trust is preserved.
What’s Next?
CRL Distribution Points
Configure CRL mirrors for your CA.
Create CA Hierarchy
Set up root and intermediate CAs.