Skip to main content

Automatically replace expiring certificates

Automation profiles replace certificates before expiration by renewing and installing a replacement certificate according to the profile configuration. Replacement also applies when a certificate is revoked, missing, or issued by a non-DigiCert certificate authority.

Replacement trigger conditions

CertCentral triggers automatic replacement under the following conditions:

For standard plans:

  • The certificate has expired or is expiring within 90 days

  • An active certificate is revoked or missing. The replacement certificate retains the remaining validity of the original certificate.

For Multi-year Plans:

  • The order or plan has expired or is expiring within 90 days

  • A certificate issued from an active plan needs to be replaced, is revoked, or is missing

Additional trigger:

  • The existing certificate was issued by a non-DigiCert certificate authority and needs to be replaced with a DigiCert certificate

Enable automatic replacement

  1. In the CertCentral menu, go to Automation > Manage profiles.

  2. Select Add new profile, or select an existing profile to edit.

  3. In Certificate settings, enable the Automatically renew and install certificate option.

  4. Select a renewal schedule, or use the default renewal time.

  5. Select Save.

Automation profiles apply replacement settings to all associated certificates.

Replacement behavior

Automated replacement proceeds when all of the following conditions are met:

  • The certificate is eligible for replacement based on the trigger conditions above

  • Domain control validation requirements are satisfied

  • Organization validation is complete where applicable

  • Account approval settings allow automated issuance

When replacement does not complete, confirm the following:

  • The certificate remains associated with an active automation profile

  • Validation requirements are satisfied

  • Account approval settings allow automated issuance

Notice

Replacement behavior differs from renewal. Renewal extends an expiring certificate within the same order. Replacement issues a new certificate and installs it in place of the existing one. For certificates revoked due to key compromise, replacement also generates a new key pair.

What's next

Monitor automation health and failures to verify that automated certificate workflows run successfully and respond to failures that may interrupt certificate lifecycle management

In this section: