6.3 Deploy & Maintenance Windows

Restrict cert deployments and service reloads to specific, authorized times.

Automated certificate deployment is incredibly powerful, but it must coexist with your organization’s change-management and maintenance policies. Many applications and web servers (such as Microsoft SQL, AD FS, Remote Desktop listeners, or legacy load balancers) require a service restart or reload to pick up new certificates. These reloads can cause transient session drops or service interruptions.

To prevent automatic deployments from impacting production traffic, CertKit supports Deploy & Maintenance Windows on a per-deployment configuration basis.

Overview

A Deploy Window restricts when a CertKit Agent is permitted to write renewed certificate files and execute its post-deployment commands.

  • Automated Renewals Continue: CertKit continues to automatically renew certificates in the background whenever they are scheduled, ensuring your ACME status is always secure.
  • Deferred Deployment: When a certificate is renewed, the agent is notified. If the agent’s current local time is outside the allowed Deploy Window, the deployment of the new certificate material is paused.
  • The WAITING_FOR_WINDOW State: The deployment configuration enters the WAITING_FOR_WINDOW state, which is displayed on your dashboard.
  • Automatic Execution: As soon as the target host’s local clock enters the scheduled window, the agent automatically wakes up, writes the files to disk, re-binds any Windows services, and executes your post-deploy update script.

Configuring a Deploy Window

You can configure a maintenance window under the Additional Options section of any agent deployment configuration page.

  1. Allowed Days: Select the days of the week when deployments are permitted (e.g., Saturday and Sunday).
  2. Start & End Time: Define a precise daily time range using 24-hour time (e.g., start at 02:00 and end at 04:00).

Timezone Integrity

Deploy windows are evaluated using the target host’s local clock.

  • Local Validation: If your servers are spread across multiple global regions (such as US-East, EU-West, and AP-East), each agent will execute deployments relative to its own local timezone.
  • Dashboard Timezone Visibility: CertKit automatically queries and displays the agent host’s local timezone (e.g., America/New_York or UTC) on the dashboard, making it easy to plan and verify scheduling across global fleets.