CA Renewal - Infisical

Renew a CA certificate to extend its validity period. The renewal process varies depending on how your CA was originally signed.

<Info> This page is for product admins managing PKI infrastructure. If you're looking to renew end-entity certificates, see [Applications](/documentation/platform/pki/applications/overview). </Info>

Before You Renew

<Note> - If renewing an intermediate CA chained to an **Infisical CA**, Infisical will automate the process of generating a new certificate for you. - If renewing an intermediate CA signed by an **external CA provider** (e.g., Venafi, Azure AD CS), you can configure auto-renewal to automate the process. See [Venafi auto-renewal](/documentation/platform/pki/ca/venafi#auto-renewal) or [AD CS auto-renewal](/documentation/platform/pki/ca/azure-adcs#auto-renewal-for-ad-cs-signed-cas). - If renewing an intermediate CA chained to an **external parent CA via manual import**, you'll need to generate a new certificate from the external parent CA and manually import it back. </Note>

Renew a CA

<Tabs> <Tab title="Infisical UI"> <Steps> <Step title="Navigate to the CA"> Go to **Certificate Manager → Certificate Authorities → Internal** and select the CA you want to renew. </Step> <Step title="Start renewal"> Click **Renew CA** on the left side of the CA detail page. </Step> <Step title="Set new validity"> Input a new **Valid Until** date for the renewed CA certificate and click **Renew**.

    <Note>
      The new **Valid Until** date must be within the validity period of the parent CA.
    </Note>
  </Step>
</Steps>

</Tab> <Tab title="API"> To renew a CA certificate, make an API request to the [Renew CA](/api-reference/endpoints/certificate-authorities/renew) API endpoint, specifying the new `notAfter` date for the CA.

### Sample request

```bash
curl --location --request POST 'https://app.infisical.com/api/v1/cert-manager/ca/internal/<ca-id>/renew' \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data-raw '{
      "type": "existing",
      "notAfter": "2029-06-12"
  }'
```

### Sample response

```json
{
  "certificate": "...",
  "certificateChain": "...",
  "serialNumber": "..."
}
```

</Tab> </Tabs>

FAQ

<AccordionGroup> <Accordion title="Does Infisical support CA renewal via new key pair?"> At the moment, Infisical only supports CA renewal via same key pair. We anticipate supporting CA renewal via new key pair in the coming month. </Accordion> <Accordion title="What happens to certificates issued by the old CA certificate?"> Certificates issued before the renewal remain valid until their own expiration date. The CA's private key stays the same, so the chain of trust is preserved. </Accordion> </AccordionGroup>

What's Next?

<CardGroup cols={2}> <Card title="CRL Distribution Points" icon="list" href="/documentation/platform/pki/ca/crl-distribution"> Configure CRL mirrors for your CA. </Card> <Card title="Create CA Hierarchy" icon="sitemap" href="/documentation/platform/pki/ca/private-ca"> Set up root and intermediate CAs. </Card> </CardGroup>