Manual certificate management has become an unsustainable burden for system administrators and DevOps teams. With the CA/Browser Forum’s recent mandate reducing certificate validity periods to just 47 days, manually renewing and deploying SSL/TLS certificates is no longer practical for production environments. This shift from the previous 90-day validity periods means organizations must renew certificates nearly twice as frequently, creating significant operational overhead and increasing the risk of certificate expiration incidents that can lead to service outages and security vulnerabilities.
CertSecure Manager, an all-around CLM solution by Encryption Consulting, completely automates the renewal and deployment of SSL/TLS certificates using renewal agents, which can be easily downloaded and configured from the CertSecure Manager UI. This article outlines the entire procedure for automating certificate renewal for an NGINX web server using the NGINX Renewal Agent.
Renewing a Certificate
The Nginx Renewal Agent is compatible with both Windows (Server 2019 or later / Windows 11) and Linux (Ubuntu 22.04 or later) environments. It can be downloaded directly from the CertSecure Manager UI and is packaged with a README file that provides step-by-step installation instructions. Once installed and configured, the agent can be managed through the Windows Services console on Windows systems or via standard service management tools on Linux.
Once the renewal agent is configured and running, visit the CertSecure Manager frontend and follow the mentioned steps to renew a certificate.
- Log in to CertSecure Manager, and go to “Utilities” and then “Agents”. Here you can confirm the status of the NGINX Renewal Agent, then right-click and click on the “Update Cert” button.
-
Choose the certificate authority, the certificate template, and mention all other required information. Click on “Save” to save the information.
- Now right click again and click on the “Renew” button and further confirm it to trigger the renewal.
-
Go to “Utilities” and then “Tasks” to monitor the renewal process. Once the renewal is complete, the webserver has to be restarted to apply the changes.
-
Go to “Utilities” and then “Agents”, right click on the agent’s name and click on “Apply Certificate and Restart” button. You can monitor the task again under “Utilities” and then “Tasks”. In case of any failures, you can check the renewal agent log file located in “C:\CertSecure\logs\EC_Nginx_RenewalAgent.log” by default.
How can Encryption Consulting help?
Encryption Consulting extends the power of CertSecure Manager by offering automated certificate renewal not just for NGINX, but also for Apache, F5 and IIS environments. This reduces manual effort, eliminates configuration errors, and ensures secure certificate deployment across your infrastructure. With the recently mandated certificate lifecycles of just 47 days, automation is no longer optional; it’s essential for maintaining continuous operations. CertSecure Manager’s renewal agents help you stay compliant and avoid downtime caused by expired certificates in this dramatically shortened renewal cycle.
Beyond automation, Encryption Consulting provides PKI-as-a-Service (PKIaaS) and expert PKI consulting to build, manage, and optimize secure, scalable PKI environments tailored to your needs: on-prem, hybrid, or cloud.
Conclusion
With certificate lifespans getting shorter and systems becoming more complex, manual certificate management just isn’t practical anymore. CertSecure Manager makes it easy to automate renewals and deployments across NGINX, Apache, F5, and IIS, helping you avoid downtime and stay secure. The Renewal Agents take care of the heavy lifting so your team can focus on what matters most. Whether you’re setting up a new PKI or improving an existing one, Encryption Consulting gives you the tools and support to get it right.
