renew an expired certificate

[conloos]

Hello @ALL,

I have a virtual lab where each container/ VM gets a certificate.
My step-ca issues in default certificates with a validity of one day.
But often containers/VMs are shutdown for several days or weeks,
so that step-cli ca renew refuses its service with: "cannot renew an expired certificate".
But I also find it excessive to renew all certificates at every startup.

Therefore I suggest to add a flag to step-cli ca renew, that it will request a new certificate if a normal renew is not possible anymore.

I tried to create this behavior via a bash script.
Since step-cli ca renew <CRT> <KEY> --daemon --force does not switch to background when it finds a certificate that can be renewed', I have to work with a "&" in the script. Unfortunately, I can then only indirectly find out if the renew is running by checking if the PID still exists after a few seconds.
This is not a good solution for me.

Thanks Frank

[tashian]

Hi Frank,

Just in time, version 0.19.0 of step-ca and step ca renew now support renewal after expiry. The docs for this feature aren't released yet, but it's easy to enable. We added it with your sort of workflow in mind. You need to enable it on the provisioner level, by adding "allowRenewalAfterExpiry": true to the claims section of the provisioner configuration block.

Hope this helps!