This script renews all certificates in a folder by creating new certificates that expire later. Then, it is your responsibility to distribute the renewed certificates to servers and clients.
Example
Run the Python script renewcerts.py without command-line arguments, and it will prompt you for the following information:
- Number of months until the renewed certificates expire
Welcome to FairCom's Certificate Renewal Program
For help, run this program with the '-h' option.
The following directories contain certificates:
Certificates in 'downloads\Expires_On_2026-04-14' will be renewed.
Enter the number of months when the certificate will expire.
When a certificate expires, communications using that certificate no longer work.
Recommended expiration is 13 months to give time to renew each year.
NOTE: When a CA certificate expires, the CA certificate must be replaced by a new CA certificate everywhere it is used,
such as operating systems, browsers, and other software.
Months [13]: _____
Press ENTER to proceed.
Press x, to exit without any changes.
Successfully created and saved 3 of 3 files:The output files listed at the bottom always show the absolute path to the files, even if relative paths were used throughout the program.
Command-line options
Welcome to FairCom's Certificate Renewal Program
For help, run this program with the '-h' option.
usage: renewcerts.py [-h] [--altName [ALTNAME ...]] [--altNameFile [ALTNAMEFILE]] [--bits [BITS]]
[--caCertFile [CACERTFILE]] [--caKeyFile [CAKEYFILE]] [--caKeyFilePass [CAKEYFILEPASS]]
[--certManagementFolder [CERTMANAGEMENTFOLDER]] [--cipher [CIPHER]] [--commonName [COMMONNAME]]
[--country [COUNTRY]] [--email [EMAIL]] [--inputDirectory [INPUTDIRECTORY]] [--location [LOCATION]]
[--months [MONTHS]] [--org [ORG]] [--outCertFile [OUTCERTFILE]] [--outKeyFile [OUTKEYFILE]]
[--passphrase [PASSPHRASE]] [--revokeSerialNumbers [REVOKESERIALNUMBERS ...]]
[--selfSigned [SELFSIGNED]] [--serial [SERIAL]] [--singleFile [SINGLEFILE]] [--state [STATE]]
[--unit [UNIT]]
FairCom's Certificate Renewal Program
options:
-h, --help show this help message and exit
--altName [ALTNAME ...]
A space delimited list of Subject Alternative Names.
--altNameFile [ALTNAMEFILE]
A filename to load Subject Alternative Names from. One entry per line. Will be ignored if
--altName is present.
--bits [BITS] The bit-depth to use when generating the private key. Defaults to 4096.
--caCertFile [CACERTFILE]
The CA certificate filename. Ignored when generating new CA key pairs.
--caKeyFile [CAKEYFILE]
The CA key filename. Ignored when generating new CA key pairs.
--caKeyFilePass [CAKEYFILEPASS]
An optional passphrase to unlock encrypted CA/signing key data. Ignored when generating new CA
key pairs.
--certManagementFolder [CERTMANAGEMENTFOLDER]
The base directory to store saved files in.
--cipher [CIPHER] The cipher to use for encryption and decryption. Defaults to sha256.
--commonName [COMMONNAME]
The Common Name is a string used to identify the certificate.
--country [COUNTRY] A two-letter country designation.
--email [EMAIL] An email address to associate with the output certificate.
--inputDirectory [INPUTDIRECTORY]
The directory containing certificates to renew. Used only by renewcert.py
--location [LOCATION]
The certificate organization location or city.
--months [MONTHS] The certificate validity duration.
--org [ORG] The certificate organization name.
--outCertFile [OUTCERTFILE]
The output certificate filename.
--outKeyFile [OUTKEYFILE]
The output key filename.
--passphrase [PASSPHRASE]
If provided, the new key will be encrypted using this passphrase.
--revokeSerialNumbers [REVOKESERIALNUMBERS ...]
A space delimited list of serial numbers to revoke. Used only by revokecert.py
--selfSigned [SELFSIGNED]
If true, the server/client key will sign the new certificate rather than a CA key. Defaults to
False. Ignored when generating new CA key pairs.
--serial [SERIAL] The serial number is an integer used to identify the certificate. When a certificate is revoked,
this number is how the revoked certificate is identified.
--singleFile [SINGLEFILE]
If true, both the key and certificate will be saved in the certificate file. Defaults to False.
Ignored when generating new CA key pairs.
--state [STATE] The certificate organization state or province.
--unit [UNIT] The certificate organization Unit or department.More information
- When running
renewcerts.py, if only one directory contains certificates, that directory is automatically selected for renewal. - Certificates expire and must be renewed.
- You must renew a certificate before expiration; otherwise, TLS communications will fail.
- When this script renews a CA, server, or client certificate, it creates a new certificate with a new expiration date.
- This script does not alter the original certificates. However, it does move them to an archive folder.
- This script generates new keypairs for user and server certificates, but not for CA certificates.
- After you renew a CA certificate, you must do the following:
- Run
importcert.pyon client computers to register the new CA certificate. - Register the new CA certificate with client software so it can validate server certificates.
- Generate new server certificates and private keys. Then distribute these files to the appropriate servers.
- Generate new client certificates and private keys. Then distribute these files to the appropriate users and client software.
- Run