Cert incorrectly getting rotated very frequently even though lifetime is set to 12 months, what is causing this issue?

Question

We have this admin-nighthawks certificate which has issuance policy set to "Auto renew once it reaches lifetime percentage" which is set to 80%. Even though the cert expires in May and we expect it to be auto rotated in April, it auto rotates every 2 weeks which is not the expected behavior.

Answer 1

Hello Rakshaa Vaidyanathan,

Thanks for reaching out.

Even though the certificate policy specifies a 12-month lifetime with auto-renew at 80%, Azure Key Vault does not enforce the certificate validity period. The actual renewal timing is based on the validity period issued by the Certificate Authority (CA).

The frequent renewal every ~2 weeks strongly indicates that the issuing CA is providing certificates with a short validity period (for example, 14–30 days). Azure Key Vault then calculates the 80% renewal threshold based on that actual issued lifetime, which results in early and frequent rotations.

While it’s good to review the certificate policy, please note:

• daysBeforeExpiry lifetime actions are notification-only and do not trigger renewals.
• Secret or key rotation policies and Key Vault automation do not rotate certificates unless explicitly creating new certificate versions.
• Auto-renew is triggered only by lifetimePercentage and is calculated from the CA-issued validity. Recommended next steps:

1. Inspect the validity period of each certificate version (NotBefore / NotAfter).
2. Review the issuing CA or certificate template configuration (e.g., AD CS or integrated CA).
3. Update the CA to issue certificates with the intended 12-month validity.
4. Once the CA issues longer-lived certificates, Key Vault auto-renew will behave as expected.

Please refer to this document: https://learn.microsoft.com/en-us/azure/key-vault/certificates/tutorial-rotate-certificates

Answer 2

The issue of the certificate being rotated every two weeks instead of the expected timeframe could be related to the configuration of the renewal settings in Azure Key Vault. Since you mentioned that the issuance policy is set to "Auto renew once it reaches lifetime percentage" at 80%, it is important to ensure that the threshold is correctly interpreted and that the certificate's actual lifetime is being respected.

Here are a few potential causes for the frequent rotation:

1. Misconfiguration of the Renewal Policy: Double-check the settings in Azure Key Vault to ensure that the percentage for auto-renewal is indeed set to 80% and that there are no conflicting settings that might trigger more frequent renewals.
2. Certificate Lifetime Settings: Ensure that the certificate's lifetime is correctly set to 12 months. If the certificate was mistakenly set with a shorter lifetime, it could lead to more frequent renewals.
3. Threshold Calculation: The threshold for renewal is calculated based on the certificate's total lifetime. If the total lifetime is shorter than expected or if the calculation is misconfigured, it could lead to premature renewals.
4. Key Vault Behavior: Sometimes, the behavior of the Key Vault or the provisioning agent might lead to unexpected results. Ensure that the provisioning agent is correctly observing the Key Vault certificate and that there are no issues with its operation.

It may be helpful to review the logs or events related to the certificate management in Azure Key Vault to identify any anomalies or errors that could provide more insight into why the certificate is being rotated more frequently than expected.