3.3 ARI & Automated Renewals

ACME Renewal Information (ARI) Details

CertKit operates on a fully automated, hands-off certificate renewal lifecycle. Rather than relying on simple calendar thresholds or manual Cron jobs, CertKit leverages the industry-standard ACME Renewal Information (ARI) extension (RFC 9773) to schedule renewals intelligently.

Traditional Expiry-Based Renewals

For Certificate Authorities (CAs) that do not support ARI, CertKit defaults to traditional expiry-based triggers:

  • Renewal Threshold: Automated renewal is scheduled once a certificate reaches two-thirds of its total lifetime (which translates to 30 days remaining for standard 90-day certificates).
  • Automation Cycle: CertKit runs a continuous backend scheduling job that scans for certificates needing renewal and automatically queues ACME orders.

ACME Renewal Information (ARI)

ARI is a modern extension to the ACME protocol that allows a Certificate Authority to actively “signal” to clients when a certificate should be renewed.

Instead of guessing when to renew, CertKit queries the CA directly for individual certificate renewal info.

Why ARI Matters

ARI solves two critical problems in PKI management:

  1. Traffic Staggering: If thousands of clients attempt to renew their certificates at exactly 30 days remaining, it creates immense, periodic spikes on CA servers. CAs use ARI to stagger renewals, returning slightly different suggested windows to different clients.
  2. Emergency Mass Revocation: If a CA discovers a certificate security breach or CA/Browser Forum compliance error, they must quickly revoke and replace millions of active certificates. CAs can update their ARI endpoints to signal immediate renewal windows to all affected clients. CertKit’s backend picks up this signal on the next automated check and rotates the certificate immediately.

How CertKit Implements ARI

For supporting issuers (including Let’s Encrypt, Google Trust Services, DigiCert, Sectigo, and GoDaddy), CertKit automatically handles the ARI flow:

  • Suggested Window: CertKit retrieves the suggestedWindow (start and end timestamps) from the CA.
  • Randomized Dispatch: Within that suggested window, CertKit calculates a randomized, staggered timestamp (AriChosenTime) to trigger the renewal. This distributes network and API load gracefully.
  • Backoff & Rate Safety: If an ARI retrieval fails or a rate limit is reached, CertKit backs off for 6 hours before retrying, preventing API exhaustion.

Status: Waiting for ARI Renewal

When a certificate is within its theoretical renewal range, but the randomized, staggered time (AriChosenTime) calculated from the CA’s ARI signal has not yet arrived, CertKit marks the certificate status as Waiting for ARI Renewal.

  • Dashboard Health: This is considered a Good (green) state. It indicates that the certificate is completely healthy and that its future renewal is successfully registered, timed, and scheduled by the background scheduler.
  • Bypassing ARI: If you need to force an immediate renewal (e.g., during troubleshooting or configuration changes), you can click the Re-issue Now button on the Certificate Detail page. In production, manual re-issuance is capped at 3 times per 7 days per certificate to avoid hitting CA rate limits.