CertAutoPilot logo CertAutoPilot
Get started

Reissue a certificate

Reissue generates a fresh private key and requests a new certificate from the same issuer with the same subject / SANs. It is the right choice when you suspect key compromise, when you want to change the key algorithm (e.g. RSA 2048 → ECDSA P-256), or when policy mandates periodic key rotation independent of the expiry-driven renewal cadence.

01Reissue vs. renew

RenewReissue
Triggered byExpiry window / schedulerExplicit operator action
Private keyNEW on every renewal (default)NEW
Subject / SANsSameSame
IssuerSameSame
Use caseScheduled lifecycleKey compromise, policy, algorithm change

Since renewal also rotates the key, reissue and renew overlap significantly. The practical distinction is that reissue fires now regardless of the renewal window and regardless of ARI hints. You use it when the trigger is "something changed about the key" rather than "the cert is about to expire."

02When to use reissue

  • Key compromise. Followed immediately by revocation of the old cert.
  • Algorithm upgrade. Moving from RSA 2048 to ECDSA P-256 fleet-wide; reissue with the new key type, then revoke the old on completion.
  • Deployment proof. Some change-management workflows require a fresh issuance after infrastructure reconfiguration — reissue gives a clean audit boundary.
  • Stuck renewal state. If a certificate is in a terminal renewal_failed state, reissue is the clean way to restart the lifecycle without clearing state manually.

03Trigger a reissue

  1. Open the certificate detail page.
  2. Click Reissue (top-right actions).
  3. In the dialog you can change the key type if needed — the original setting is preselected.
  4. Confirm. A reissue_certificate (or msca_renew_certificate for MSCA-issued) job enqueues.

04What happens

  1. The worker generates a new private key of the requested type.
  2. It builds a fresh CSR with the same CN + SANs.
  3. The CA's normal issuance flow runs (DNS-01 for ACME, CES enrollment for MSCA).
  4. The new cert replaces the old on the same certificate record; the old private key is purged from MongoDB.
  5. A cert.renewed event is written (reissue reuses the renew event type — the distinction surfaces in the event payload's trigger field as reissue).
  6. If the certificate has auto-triggered distributions, they fire against the new cert.
Old cert is NOT revoked automatically

Reissue replaces the cert on our side but the CA still considers the old cert valid until it expires naturally. For key-compromise workflows, follow up with Revoke on the old cert — CertAutoPilot keeps a copy of the old cert's issuance record for this purpose in the timeline.

05Pinned clients

If downstream clients pin the certificate's public key (HPKP, mobile apps with cert-pinning, banking integrations), a reissue breaks them. The reissue dialog warns when the cert has a dependency annotated as "pinned". Plan the client-side update alongside the reissue.

06Troubleshooting

"Rate limit exceeded" on immediate reissue

The CA's weekly quota for the registered domain is saturated. Wait for the counter to reset (zone rate-limit panel) or use a staging account to avoid production consumption during testing.

MSCA reissue fails with "template has recently been issued to the same subject"

Some Windows CA templates configured with strict duplicate detection reject same-subject issuance within a window. Adjust the template's re-enrollment policy, or issue against a different template.