step ca renew

NAME

step ca renew – renew a valid certificate

USAGE

step ca renew crt-file key-file [–ca-url=uri] [–root=file] [–out=file] [–expires-in=duration] [–force]

DESCRIPTION

step ca renew command renews the given certificates on the certificate authority and writes the new certificate to disk either overwriting crt-file or using a new file if the –out=file flag is used.

POSITIONAL ARGUMENTS

crt-file
The certificate in PEM format that we want to renew.
key-file
They key file of the certificate.

OPTIONS

–ca-url=URI
URI of the targeted Step Certificate Authority.
–root=file
The path to the PEM file used as the root certificate authority.
–out=file, –output-file=file
The new certificate file path. Defaults to overwriting the crt-file positional argument
–expires-in=duration
The duration check that will be performed before renewing the certificate. The certificate renew will be skipped if the time to expiration is greater than the passed one. A random jitter (duration/20) will be added to avoid multiple services hitting the renew endpoint at the same time. The duration is a sequence of decimal numbers, each with optional fraction and a unit suffix, such as “300ms”, “-1.5h” or “2h45m”. Valid time units are “ns”, “us” (or “µs”), “ms”, “s”, “m”, “h”.
-f=value, –force=value
Force the overwrite of files without asking.

EXAMPLES

Renew a certificate with the configured CA:

$ step ca renew internal.crt internal.key
Would you like to overwrite internal.crt [Y/n]: y

Renew a certificate without overwriting the previous certificate:

$ step ca renew --out renewed.crt internal.crt internal.key

Renew a certificate forcing the overwrite of the previous certificate:

$ step ca renew --force internal.crt internal.key

Renew a certificate providing the --ca-url and --root flags:

$ step ca renew --ca-url https://ca.smallstep.com:9000 \
  --root /path/to/root_ca.crt internal.crt internal.key
Would you like to overwrite internal.crt [Y/n]: y

Renew skipped because it was too early:

$ step ca renew --expires-in 8h internal.crt internal.key
certificate not renewed: expires in 10h52m5s