Skip to main content

renewcert.py

Renew certificates that are about to expire using the renewcert.py script in FairCom Certificate Manager

This script renews all certificates in a folder by creating new certificates that expire later. Then, distribute renewed certificates to servers and clients.

Example

Run the Python script renewcert.py without command-line arguments, and it will prompt you for the following information:

  • Number of months until the renewed certificates expire

Welcome to FairCom's Certificate Renewal Program
For help, run this program with the '-h' option.

The following directories contain certificates:
Certificates in 'downloads\Expires_On_2026-04-14' will be renewed.

Enter the number of months when the certificate will expire.
  When a certificate expires, communications using that certificate no longer work.
  Recommended expiration is 13 months to give time to renew each year.
  NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used,
  such as operating systems, browsers, and other software.
  Months [13]: _____

Press ENTER to proceed.
Press x, to exit without any changes.

Successfully created and saved 3 of 3 files:

The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.

Command-line options

Welcome to FairCom's Certificate Renewal Program
For help, run this program with the '-h' option.
usage: renewcert.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]]
                    [--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]]
                    [--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]] [--commonName [COMMONNAME]]
                    [--country [COUNTRY]] [--email [EMAIL]] [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]]
                    [--months [MONTHS]] [--org [ORG]] [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]]
                    [--passphrase [PASSPHRASE]] [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]]
                    [--selfSigned [SELFSIGNED]] [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]]
                    [--unit [UNIT]]

FairCom's Certificate Renewal Program

options:
  -h, --help            show this help message and exit
  --altName [ALTNAME ...]
                        A space delimited list of Subject Alternative Names.
  --altNameFile [ALTNAMEFILE]
                        A filename to load Subject Alternative Names from. One entry per line. Will be ignored if
                        --altName is present.
  --bits [BITS]         The bit-depth to use when generating the private key. Defaults to 4096.
  --caCertFile [CACERTFILE]
                        The CA certificate filename. Ignored when generating new CA key pairs.
  --caKeyFile [CAKEYFILE]
                        The CA key filename. Ignored when generating new CA key pairs.
  --caKeyFilePass [CAKEYFILEPASS]
                        An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA
                        key pairs.
  --certManagementFolder [CERTMANAGEMENTFOLDER]
                        The base directory to store saved files in.
  --cipher [CIPHER]     The cipher to use for encryption and decryption. Defaults to sha256.
  --commonName [COMMONNAME]
                        The Common Name is a string used to identify the certificate.
  --country [COUNTRY]   A two-letter country designation.
  --email [EMAIL]       An email address to associate with the output certificate.
  --inputDirectory [INPUTDIRECTORY]
                        The directory containing certificates to renew. Used only by renewcert.py
  --location [LOCATION]
                        The certificate organization location or city.
  --months [MONTHS]     The certificate validity duration.
  --org [ORG]           The certificate organization name.
  --outCertFile [OUTCERTFILE]
                        The output certificate filename.
  --outKeyFile [OUTKEYFILE]
                        The output key filename.
  --passphrase [PASSPHRASE]
                        If provided, the new key will be encrypted using this passphrase.
  --revokeSerialNumbers [REVOKESERIALNUMBERS ...]
                        A space delimited list of serial numbers to revoke. Used only by revokecert.py
  --selfSigned [SELFSIGNED]
                        If true, the server/client key will sign the new certificate rather than a CA key. Defaults to
                        False. Ignored when generating new CA key pairs.
  --serial [SERIAL]     The serial number is an integer used to identify the certificate. When a certificate is revoked,
                        this number is how the revoked certificate is identified.
  --singleFile [SINGLEFILE]
                        If true, both the key and certificate will be saved in the certificate file. Defaults to False.
                        Ignored when generating new CA key pairs.
  --state [STATE]       The certificate organization state or province.
  --unit [UNIT]         The certificate organization Unit or department.
  • When running importcert.py, if only one directory contains certificates, that directory is automatically selected for renewal.

  • Certificates expire and must be renewed.

  • You must renew a certificate before expiration; otherwise, TLS communications will fail.

  • When this script renews a CA, server, or client certificate, it creates a new certificate with a new expiration date.

  • This script does not alter a certificate's private key or the original certificate.

  • After you renew a CA certificate, you must do the following:

    • Run importcert.py on client computers to register the new CA certificate.

    • Register the new CA certificate with client software so it can validate server certificates.

    • Generate new server certificates and private keys. Then distribute these files to the appropriate servers.

    • Generate new client certificates and private keys. Then distribute these files to the appropriate users and client software.

renew a certificate using the renewcert.py script in FairCom's certificate manager

renew certificateimport certificaterenewcert.pycertificate manager