Skip to main content

renewcert.py

Renew certificates that are about to expire using the importcert.py script in FairCom Certificate Manager

Abstract

renew certificates that are about to expire using the importcert.py script in FairCom certificate manager

This script renews all certificates in a folder by creating new certificates that expire later. Then, distribute renewed certificates to servers and clients.

Example

Run the Python script renewcert.py without command-line arguments, and it will prompt you for the following information:

  • Number of months until the renewed certificates expire

Welcome to FairCom's Certificate Renewal Program
For help, run this program with the '-h' option.

The following directories contain certificates:
Certificates in 'downloads\Expires_On_2026-04-14' will be renewed.

Enter the number of months when the certificate will expire.
  When a certificate expires, communications using that certificate no longer work.
  Recommended expiration is 13 months to give time to renew each year.
  NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used,
  such as operating systems, browsers, and other software.
  Months [13]: _____

Press ENTER to proceed.
Press x, to exit without any changes.

Successfully created and saved 3 of 3 files:

The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.

Command-line options

Welcome to FairCom's Certificate Renewal Program
For help, run this program with the '-h' option.
usage: renewcert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]]
                    [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]]
                    [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]] [--commonName [COMMONNAME]]
                    [--country [COUNTRY]] [--email [EMAIL]] [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]]
                    [--months [MONTHS]] [--org [ORG]] [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]]
                    [--passphrase [PASSPHRASE]] [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]]
                    [--selfSigned [SELFSIGNED]] [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]]
                    [--unit [UNIT]]

FairCom's Certificate Renewal Program

options:
  -h, --help            show this help message and exit
  --altName [ALTNAME ...]
                        A space delimited list of Subject Alternative Names.
  --altNameFile [ALTNAMEFILE]
                        A filename to load Subject Alternative Names from. One entry per line. Will be ignored if
                        --altName is present.
  --bits [BITS]         The bit-depth to use when generating the private key. Defaults to 4096.
  --caCertFile [CACERTFILE]
                        The CA certificate filename. Ignored when generating new CA key pairs.
  --caKeyFile [CAKEYFILE]
                        The CA key filename. Ignored when generating new CA key pairs.
  --caKeyFilePass [CAKEYFILEPASS]
                        An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA
                        key pairs.
  --certManagementFolder [CERTMANAGEMENTFOLDER]
                        The base directory to store saved files in.
  --cipher [CIPHER]     The cipher to use for encryption and decryption. Defaults to sha256.
  --commonName [COMMONNAME]
                        The Common Name is a string used to identify the certificate.
  --country [COUNTRY]   A two-letter country designation.
  --email [EMAIL]       An email address to associate with the output certificate.
  --inputDirectory [INPUTDIRECTORY]
                        The directory containing certificates to renew. Used only by renewcert.py
  --location [LOCATION]
                        The certificate organization location or city.
  --months [MONTHS]     The certificate validity duration.
  --org [ORG]           The certificate organization name.
  --outCertFile [OUTCERTFILE]
                        The output certificate filename.
  --outKeyFile [OUTKEYFILE]
                        The output key filename.
  --passphrase [PASSPHRASE]
                        If provided, the new key will be encrypted using this passphrase.
  --revokeSerialNumbers [REVOKESERIALNUMBERS ...]
                        A space delimited list of serial numbers to revoke. Used only by revokecert.py
  --selfSigned [SELFSIGNED]
                        If true, the server/client key will sign the new certificate rather than a CA key. Defaults to
                        False. Ignored when generating new CA key pairs.
  --serial [SERIAL]     The serial number is an integer used to identify the certificate. When a certificate is revoked,
                        this number is how the revoked certificate is identified.
  --singleFile [SINGLEFILE]
                        If true, both the key and certificate will be saved in the certificate file. Defaults to False.
                        Ignored when generating new CA key pairs.
  --state [STATE]       The certificate organization state or province.
  --unit [UNIT]         The certificate organization Unit or department.
  • When running importcert.py, if only one directory contains certificates, that directory is automatically selected for renewal.

  • Certificates expire and must be renewed.

  • You must renew a certificate before expiration; otherwise, TLS communications will fail.

  • When this script renews a CA, server, or client certificate, it creates a new certificate with a new expiration date.

  • This script does not alter a certificate's private key or the original certificate.

  • After you renew a CA certificate, you must do the following:

    • Run importcert.py on client computers to register the new CA certificate.

    • Register the new CA certificate with client software so it can validate server certificates.

    • Generate new server certificates and private keys. Then distribute these files to the appropriate servers.

    • Generate new client certificates and private keys. Then distribute these files to the appropriate users and client software.