Certificate Renewal

Certificates are only valid for a limited time, and need to be renewed before expiry.

To read the expiration date of your certificate, use X509Certificate.getNotAfter(). The certificate is eligible to be renewed a few days or weeks before its expiry. Check the documentation of your CA about a recommended time window. Also do not postpone the renewal to the last minute, as there can always be unexpected network issues that delay the issuance of a renewed certificate.

Tip

Some CAs send a notification mail to your account's mail addresses in time before expiration. However you should not rely on those mails, and only use them as an ultimate warning.

How to Renew

There is no special path for renewing a certificate. To renew it, just order the certificate again.

Renewal Information

acme4j supports the draft-ietf-acme-ari-04 draft.

You can check if the CA offers renewal information by invoking Certificate.hasRenewalInfo(). If it does, you can get a suggested time window for certificate nenewal by invoking Certificate.getRenewalInfo().

When renewing a certificate, you can use OrderBuilder.replaces() to mark your current certificate as the one being replaced. This step is optional though.

Note

Starting with acme4j v3.2.0, the now obsolete draft-ietf-acme-ari-01 is not supported anymore! If your server requires the old draft, use acme4j v3.1.1 until the CA upgraded its systems. Because of the dynamic nature of the draft, all parts of the API that are related to this draft may be changed or removed without notice. SemVer rules do not apply here.

Short-Term Automatic Renewal

acme4j supports RFC 8739 for Short-Term Automatic Renewal (STAR) of certificates.

To find out if the CA supports the STAR extension, check the metadata:

if (session.getMetadata().isAutoRenewalEnabled()) {
  // CA supports STAR!
}

If STAR is supported, you can enable automatic renewals by adding autoRenewal() to the order parameters:

Order order = account.newOrder()
        .domain("example.org")
        .autoRenewal()
        .create();

You can also use autoRenewalStart(), autoRenewalEnd(), autoRenewalLifetime() and autoRenewalLifetimeAdjust() to change the time span and frequency of automatic renewals. You cannot use notBefore() and notAfter() in combination with autoRenewal() though.

The Metadata object also holds the accepted renewal limits (see Metadata.getAutoRenewalMinLifetime() and Metadata.getAutoRenewalMaxDuration()).

Important

After your order is finalized, you must use Order.getAutoRenewalCertificate() to retrieve a STAR certificate! Do not use Order.getCertificate() here.

The STAR certificates are automatically renewed by the CA. You will always find the latest certificate at the certificate location URL.

To download the latest certificate issue, you can bind the certificate URL to your Login and then use the Certificate object.

URL certificateUrl = ... // URL of the certificate

Certificate cert = login.bindCertificate(certificateUrl);
X509Certificate latestCertificate = cert.getCertificate();

Note

STAR based certificates cannot be revoked. However, as it is the nature of these certs to be very short-lived, this does not pose an actual security issue.

Fetching STAR certificates via GET

Usually the STAR certificate must be fetched from the location URL by an authorized POST-as-GET request. If supported by the CA, it is possible to change the method to a plain GET request, so the certificate can be fetched by a simple HTTP client (like curl) without authentication.

To enable this GET method, first check if it is offered by the CA, by invoking Metadata.isAutoRenewalGetAllowed(). If it is true, add autoRenewalEnableGet() to the order options. After the order was finalized, the certificate will be available via both GET and POST-as-GET methods.

Cancelling Auto-Renewals

Use Order.cancelAutoRenewal() to terminate automatical certificate renewals.