Standard renewal flow
The DigiCert® Trust Lifecycle Manager (TLM) user takes a series of steps when renewing a certificate. Check the following headers for each enrollment method to understand how the renewal flow works for that specific method.
The standard renewal flow follows:
The certificate enters its renewal window. The user (as identified by their seat ID) receives a renewal email containing a unique link to the TLM enrollment page.
TLM checks the following renewal requirements have been met:
The certificate has not been renewed yet, and is not revoked.
The certificate is in its renewal window (configured within the profile).
The new certificate will not outlive its Issuing CA.
The renewal request contains the exact same Subject.DN as the original certificate.
TLM creates the renewal enrollment for the new certificate. By default, it reuses the previous CSR and prepopulates the certificate fields. You can change many field values depending on the profile. To use a new key pair, you must create a new CSR.
TLM checks for request approval.
The certificate profile controls the Automated renewal (without re-approval) option. Enabling this option means automatic approval of renewal requests.
If the authentication method is Enrollment code, requests are approved automatically.
Otherwise, a TLM admin must reapprove the request. TLM will recheck the conditions in step 1 to confirm the renewal requirements are still met, and will email the user when their request is approved.
DigiCert® Trust Lifecycle Manager does the following:
Marks the previous certificate as renewed to prevent duplicate renewal attempts.
The new certificate's validity period is calculated. The new certificate’s expiration date is always going to be equal to the previous certificate’s expiration date plus the profile’s validity period. If necessary, validity will be added when the certificate is being renewed early.
The admin can override the validity when approving the request.
The maximum allowed renewal window is 30 days. Certificates cannot be renewed earlier than that.
Issues the new certificate and returns the user to the console.