Renew a CA certificate to extend its validity period. The renewal process varies depending on how your CA was originally signed.Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
This page is for product admins managing PKI infrastructure. If you’re looking to renew end-entity certificates, see Applications.
Before You Renew
- If renewing an intermediate CA chained to an Infisical CA, Infisical will automate the process of generating a new certificate for you.
- If renewing an intermediate CA signed by an external CA provider (e.g., Venafi, Azure AD CS), you can configure auto-renewal to automate the process. See Venafi auto-renewal or AD CS auto-renewal.
- If renewing an intermediate CA chained to an external parent CA via manual import, you’ll need to generate a new certificate from the external parent CA and manually import it back.
Renew a CA
- Infisical UI
- API
Navigate to the CA
Go to Certificate Manager → Certificate Authorities → Internal and select the CA you want to renew.
FAQ
Does Infisical support CA renewal via new key pair?
Does Infisical support CA renewal via new key pair?
At the moment, Infisical only supports CA renewal via same key pair. We anticipate supporting CA renewal via new key pair in the coming month.
What happens to certificates issued by the old CA certificate?
What happens to certificates issued by the old CA certificate?
Certificates issued before the renewal remain valid until their own expiration date. The CA’s private key stays the same, so the chain of trust is preserved.
What’s Next?
CRL Distribution Points
Configure CRL mirrors for your CA.
Create CA Hierarchy
Set up root and intermediate CAs.