How do I renew a certificate?
Quick answer
Section titled “Quick answer”Notory does not renew certificates itself — renewal happens at your certificate authority (CA, e.g. via ACME/certbot). In Notory, you update the result afterward: open the certificate to edit it, update Valid From/To and the fingerprint, and set the status back to Active. The Auto-Renew flag marks certificates that are renewed automatically outside of Notory.
Prerequisites
Section titled “Prerequisites”Part of the Certificates module and therefore available from the Pro
tier onward (feature certificates).
The renewal workflow
Section titled “The renewal workflow”- Spot the expiry — via the list sorted by Valid To, or the Expiring Soon status (see Expiry Monitoring).
- Renew the certificate at the CA — outside of Notory (ACME/certbot, the provider’s certificate portal, …) and roll it out to your systems.
- Update the entry in Notory — enter the new validity dates and new fingerprint, set the status back to Active (see the instructions below).
Instructions
Section titled “Instructions”-
Open the certificate for editing. Select Certificates in the left-hand navigation and click the pencil icon (Edit) next to the affected entry.
-
Enter the new data. Update in the dialog:
- Valid From / Valid To — the term of the renewed certificate.
- Fingerprint (SHA-256) — the fingerprint changes with every renewal.
- Status — back to Active (if it was set to “Expiring Soon” or “Expired”).
- If needed, Key Type/Size, in case the key was newly generated.
Screenshot pendingzertifikate-erneuern-01'Edit Certificate' dialog with updated fields Valid From, Valid To, Fingerprint, and status ActiveAfter renewal: new term and new fingerprint, status back to 'Active'. -
Save. The certificate moves further down the list based on the new expiry date.
Via the REST API, renewal is a PUT on the existing certificate — send only
the changed fields:
curl -X PUT https://demo.notory.io/api/v1/certificates/c4e8b2a1-6f37-4d90-8b52-1a7c3e9d0f68 \ -H "Authorization: Bearer inv_dein_token" \ -H "Content-Type: application/json" \ -d '{ "valid_from": "2026-07-28T00:00:00Z", "valid_to": "2026-10-26T00:00:00Z", "fingerprint_sha256": "3A:1F:9C:57:B2:E8:0D:44...", "status": "active" }'Response HTTP 200 OK with the updated entry:
{ "id": "c4e8b2a1-6f37-4d90-8b52-1a7c3e9d0f68", "common_name": "www.example.com", "valid_from": "2026-07-28T00:00:00Z", "valid_to": "2026-10-26T00:00:00Z", "fingerprint_sha256": "3A:1F:9C:57:B2:E8:0D:44...", "status": "active", "auto_renew": true, "updated_at": "2026-07-28T06:12:09Z"}Alternatively, you can set a superseded, no-longer-used certificate to
"status": "revoked" and add the successor certificate as a new entry
(POST /api/v1/certificates) — this keeps the history of both terms intact.
Possible errors: 401 (token missing/invalid), 403 (no write access
or the Certificates module is not in your tier), 404 (certificate not
found), 422 (validation).
What happens behind the scenes?
Section titled “What happens behind the scenes?”- An update, not automation: Notory does not perform the renewal and does not change the entry on its own — not even when Auto-Renew is set. The flag is a marker (“this certificate renews automatically outside of Notory”) so you know where manual action is needed.
- Re-sorting: With the new Valid To, the certificate moves further down the expiry-sorted list.
- Audit trail: The change is logged with
updated_byandupdated_at. - No e-mail, no webhook: The update triggers no notifications.
- Two valid strategies: Update the entry (one continuous record per domain) or create a new one and revoke the old one (full history). Choose per your team’s convention — Notory doesn’t enforce either.