CertAutoPilot logo CertAutoPilot
Get started

Renewal & rotation

How CertAutoPilot decides when to renew, what it does on success, what it does on failure, and how the 47-day SC-081 readiness score is computed.

01The renewal window

By default, a certificate is renewed when 30 days remain until expiry. Override per-certificate or per-project policy. The scheduler runs every 15 minutes; certs that crossed the threshold since the last run are enqueued for renewal.

Configurable per environment:

ValidityDefault renewal at
≤ 30 days (47-day mode)14 days remaining
90 days30 days remaining
1 year30 days remaining
≥ 2 years60 days remaining

02Key rotation

Renewal can either reuse the existing private key or generate a new one each time. Default is rotate every renewal — fresh keys every 90 days for Let's Encrypt-issued certs.

Reuse the key only when the consumer has the public key pinned somewhere (HPKP-like patterns; some IoT devices). Pinning is rare today.

03Renewal failure

If the renewal fails, the scheduler retries with exponential backoff: 5 min, 15 min, 1 h, 4 h, 12 h, 24 h. After the 6th retry the certificate is marked renewal-stalled, a high-severity notification fires, and the scheduler stops retrying.

Stalled certs do not auto-retry

Once stalled, an operator must investigate, fix the underlying issue, and click Retry now. This prevents an out-of-band misconfiguration from burning your CA rate-limit budget while you sleep.

04Post-renewal hooks

After a successful renewal, two things happen:

  1. Distribution. Every target attached to this cert is invoked — fan-out, dry-run optional, with rollback on validation failure.
  2. Custom hooks. Optional Webhook target gets a payload of {cert_id, fingerprint, not_after, chain}. Use it to invalidate caches, refresh service-mesh sidecars, or kick a CDN purge.

05Revocation

Revocation is deliberately a separate manual action — never automatic. From the certificate detail page, choose Revoke, pick a reason code (key-compromise, superseded, etc.), and submit. CertAutoPilot calls the CA's revoke endpoint, marks the certificate revoked, and emits an audit event.

Revoked certs are kept in the inventory; they're not deleted. The status filter on the certificates list defaults to active; toggle to see revoked.

0647-day readiness score (SC-081)

The dashboard widget computes the percentage of certificates in the project that:

  • Have auto-renew enabled, AND
  • Have at least one validated distribution target, AND
  • Have completed at least one successful unattended renewal in the last 90 days.

This is the practical floor for surviving Apple's proposed 47-day TLS-cert validity max. Aim for 100% in production.

07API

POST /api/v1/projects/{project}/certificates/{id}/renew
POST /api/v1/projects/{project}/certificates/{id}/revoke
GET  /api/v1/projects/{project}/certificates/{id}/renewal-window
GET  /api/v1/projects/{project}/sc081-readiness