> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# CA Renewal

> Renew your Certificate Authority certificates before they expire.

Renew a CA certificate to extend its validity period. The renewal process varies depending on how your CA was originally signed.

<Info>
  This page is for product admins managing PKI infrastructure. If you're looking to renew end-entity certificates, see [Applications](/documentation/platform/pki/applications/overview).
</Info>

## Before You Renew

<Note>
  * If renewing an intermediate CA chained to an **Infisical CA**, Infisical will automate the process of generating a new certificate for you.
  * If renewing an intermediate CA signed by an **external CA provider** (e.g., Venafi, Azure AD CS), you can configure auto-renewal to automate the process. See [Venafi auto-renewal](/documentation/platform/pki/ca/venafi#auto-renewal) or [AD CS auto-renewal](/documentation/platform/pki/ca/azure-adcs#auto-renewal-for-ad-cs-signed-cas).
  * If renewing an intermediate CA chained to an **external parent CA via manual import**, you'll need to generate a new certificate from the external parent CA and manually import it back.
</Note>

## Renew a CA

<Tabs>
  <Tab title="Infisical UI">
    <Steps>
      <Step title="Navigate to the CA">
        Go to **Certificate Manager → Certificate Authorities → Internal** and select the CA you want to renew.
      </Step>

      <Step title="Start renewal">
        Click **Renew CA** on the left side of the CA detail page.
      </Step>

      <Step title="Set new validity">
        Input a new **Valid Until** date for the renewed CA certificate and click **Renew**.

        <Note>
          The new **Valid Until** date must be within the validity period of the parent CA.
        </Note>
      </Step>
    </Steps>
  </Tab>

  <Tab title="API">
    To renew a CA certificate, make an API request to the [Renew CA](/api-reference/endpoints/certificate-authorities/renew) API endpoint, specifying the new `notAfter` date for the CA.

    ### Sample request

    ```bash theme={"dark"}
    curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/renew' \
      --header 'Authorization: Bearer <access-token>' \
      --header 'Content-Type: application/json' \
      --data-raw '{
          "type": "existing",
          "notAfter": "2029-06-12"
      }'
    ```

    ### Sample response

    ```json theme={"dark"}
    {
      "certificate": "...",
      "certificateChain": "...",
      "serialNumber": "..."
    }
    ```
  </Tab>
</Tabs>

## FAQ

<AccordionGroup>
  <Accordion title="Does Infisical support CA renewal via new key pair?">
    At the moment, Infisical only supports CA renewal via same key pair. We anticipate supporting CA renewal via new key pair in the coming month.
  </Accordion>

  <Accordion title="What happens to certificates issued by the old CA certificate?">
    Certificates issued before the renewal remain valid until their own expiration date. The CA's private key stays the same, so the chain of trust is preserved.
  </Accordion>
</AccordionGroup>

## What's Next?

<CardGroup cols={2}>
  <Card title="CRL Distribution Points" icon="list" href="/documentation/platform/pki/ca/crl-distribution">
    Configure CRL mirrors for your CA.
  </Card>

  <Card title="Create CA Hierarchy" icon="sitemap" href="/documentation/platform/pki/ca/private-ca">
    Set up root and intermediate CAs.
  </Card>
</CardGroup>