BlogSupportDocumentation
TigerTrust
Automation

Automatic Certificate Renewal

Configure automatic certificate renewal with zero downtime.

Automatic Certificate Renewal

TigerTrust automates certificate renewal to prevent outages and ensure continuous security.

Renewal Methods

MethodUse CaseCA Support
ACMEAutomated DV certificatesLet's Encrypt, ZeroSSL
CA APIEnterprise CA integrationDigiCert, Sectigo, Entrust
CSR-basedManual CA submissionAny CA

How Auto-Renewal Works

1. Certificate approaching expiration (threshold reached)
       ↓
2. TigerTrust creates renewal task
       ↓
3. Agent generates CSR with existing private key or new key
       ↓
4. CSR submitted to CA (ACME or API)
       ↓
5. New certificate issued
       ↓
6. Certificate deployed to configured targets
       ↓
7. Services reloaded (nginx, apache, etc.)

Configuring Auto-Renewal

Per-Certificate Settings

  1. Navigate to certificate details
  2. Click Renewal Settings
  3. Configure:
- Auto-Renew: Enable/disable

- Threshold: Days before expiry to renew (default: 30)

- Method: ACME, CA API, or Manual CSR

- Key Rotation: Generate new key or reuse existing

Renewal Policies

Create policies for bulk configuration:

{
  "name": "Production Certificates",
  "renewalThreshold": 30,
  "method": "acme",
  "keyRotation": true,
  "keyType": "ECDSA",
  "keySize": 256,
  "autoDeployment": true,
  "deploymentTargets": ["nginx-main"],
  "notificationChannels": ["slack-ops"]
}

ACME Renewal

TigerTrust supports ACME protocol for automated renewal with:

  • Let's Encrypt
  • ZeroSSL
  • Buypass
  • Google Trust Services

ACME Configuration

  1. Navigate to Certificate Authorities → Add
  2. Select ACME provider
  3. Configure:
- Account email

- ACME directory URL

- Challenge type (HTTP-01 or DNS-01)

DNS Challenge Support

For wildcard certificates, configure DNS providers:

  • Cloudflare
  • Route53
  • Azure DNS
  • Google Cloud DNS
  • RFC2136 (dynamic DNS)

CA API Renewal

Direct integration with enterprise CAs:

CAAPI TypeFeatures
DigiCertCertCentral APIInstant issuance, all cert types
SectigoSCM APIOV/EV automation
EntrustECS APIEnterprise PKI
VenafiTPP APIPolicy-driven

CA API Configuration

{
  "type": "digicert",
  "apiKey": "dc_api_key_here",
  "organizationId": "12345",
  "autoValidation": true,
  "certificateTypes": ["OV", "EV"],
  "productIds": {
    "ssl": "ssl_plus",
    "wildcard": "ssl_wildcard"
  }
}

CSR-Based Renewal

For CAs without API integration:

  1. TigerTrust generates CSR
  2. Notification sent with CSR
  3. Admin submits to CA manually
  4. Admin uploads new certificate
  5. TigerTrust deploys certificate

Deployment After Renewal

Configure automatic deployment:

deployment:
  auto_deploy: true
  targets:
    - name: nginx-main
      cert_path: /etc/nginx/ssl/server.crt
      key_path: /etc/nginx/ssl/server.key
      reload_command: systemctl reload nginx
    - name: haproxy-lb
      cert_path: /etc/haproxy/ssl/combined.pem
      reload_command: systemctl reload haproxy

Renewal Notifications

Configure notifications for renewal events:

EventDescription
renewal_startedRenewal process initiated
renewal_completedCertificate successfully renewed
renewal_failedRenewal failed (with error details)
deployment_completedCertificate deployed to targets
manual_action_requiredCSR ready for manual submission

Monitoring Renewals

Dashboard View

Navigate to Certificates → Renewals to see:

  • Upcoming renewals (sorted by expiration)
  • In-progress renewals
  • Recent renewal history
  • Failed renewals requiring attention

Renewal Queue API

GET /api/renewal/queue
Response: 
{
  "data": [
    {
      "certificateId": 1,
      "commonName": "example.com",
      "expiresAt": "2024-04-01T00:00:00Z",
      "renewalDue": "2024-03-01T00:00:00Z",
      "method": "acme",
      "status": "pending"
    }
  ]
}

Troubleshooting Renewals

IssueCauseSolution
ACME challenge failedDNS not propagatedIncrease propagation wait time
Agent timeoutNetwork issuesCheck agent connectivity
CA API errorInvalid credentialsVerify CA API key
Deployment failedPermission deniedCheck file permissions
Service reload failedInvalid configValidate certificate format

Best Practices

  1. Set threshold at 30 days - Provides time to address failures
  2. Test with staging CAs first - Use Let's Encrypt staging
  3. Configure alerts - Get notified of failures immediately
  4. Use key rotation - Generate new keys periodically
  5. Monitor renewal success rate - Track in analytics dashboard