Apple certificates last a year. Provisioning profiles last a year. The wrong week to discover one of them expired is the week of your release. HexSign's auto-renewal job runs every day and reissues anything that crosses the renewal window, fully unattended, with an audit log entry and an email to your admins on every successful renewal and every failure.

What gets auto-renewed by default

Every distribution certificate created through HexSign's New certificate flow (we have the private key, so we can produce a fresh cert from the same key on demand).
Every provisioning profile, full stop. Apple has no concept of "renewing" a profile, so HexSign rebuilds it: same identifier, same devices, same name, fresh one-year expiry. If the profile pointed at a cert we renewed earlier in the same run, the new cert ID is swapped in automatically.
Development certificates default to off. They're typically rotated alongside team changes rather than on a schedule, so you can opt them in per-certificate from the detail page.

When renewal kicks in

HexSign attempts renewal 14 days before expiry. That window is wide enough to absorb a transient Apple API outage (renewal retries the next day if Apple is down) and narrow enough that your existing cert is still demonstrably in use when its replacement appears.

Turn it on or off for one cert or profile

1
Open the cert or profile detail page
From the Certificates or Profiles list, click the row. The list also shows a green "On" or grey "Off" chip in the Auto-renew column so you can scan the table at a glance.
2
Flip the Auto-renew switch
In the details card, toggle Auto-renewal. Enabling on a certificate requires a private key on file; if no key is present the switch is disabled with a tooltip explaining how to fix it. Profiles have no precondition.
3
Confirm the change in the audit log
Every toggle is recorded as certificate.auto_renew_updated or profile.auto_renew_updated, attributed to the user (or service credential) that made the change.

Enable auto-renewal on a cert you didn't create here

Certificates synced from Apple (or issued in Keychain Access before adopting HexSign) start without a private key on file, so the Auto-renew toggle is locked. Upload the matching private key on the Signing key card; HexSign verifies the key against the cert, synthesizes a companion CSR in the same step, and the toggle becomes available immediately. See Upload a private key for a certificate created outside HexSign for the full walkthrough.

What the renewal job actually does

Selects every certificate flagged for auto-renewal whose expiration falls inside the 14-day window AND has a private key on file.
Resubmits the stored CSR to Apple to issue a fresh certificate of the same type.
Moves the private key's link from the old certificate to the new one, so the new cert immediately supports .p12 download.
Then walks every provisioning profile flagged for auto-renewal (plus any extra profile that referenced a cert just renewed), rebuilds it via Apple's API, and swaps the renewed cert IDs into the new profile.
Logs every outcome to the audit trail and emails owners + admins on each successful renewal and each failure.

Notifications you'll see

Certificate auto-renewed: Sent to org owners and admins when a cert is reissued. Includes the previous and new Apple IDs, the new expiry, and a link to the certificate.
Certificate auto-renewal failed: Sent when Apple rejected the issuance request, or HexSign couldn't reach Apple. The email surfaces Apple's exact reason (e.g. "Maximum number of certificates generated") so you can act on it.
Provisioning profile auto-renewed: Sent when a profile was rebuilt. Includes the previous and new Apple IDs and the new expiry. Download the fresh .mobileprovision from the dashboard and update your CI.
Provisioning profile auto-renewal failed: Sent when the rebuild couldn't complete. Common reasons: the underlying bundle ID was deleted, or every referenced cert was revoked.

Troubleshooting

"private_key_required" when enabling on a certificate: The cert doesn't have a private key on file. Upload one via the Signing key card on the detail page; the toggle unlocks automatically.
Auto-renewal fired but no new cert appears: Open the audit log filtered by certificate.auto_renew_failed. The Apple-side reason is recorded verbatim. Most common: the Apple Developer team has hit its certificate limit for that type. Revoke an unused old cert and the next day's run will succeed.
Profile auto-renewal kept retrying every day: The profile is within the 14-day window but the rebuild keeps failing (e.g. bundle ID deleted). Either fix the underlying cause or toggle the profile's Auto-renew off so the daily run stops trying.

What gets auto-renewed by default

Every distribution certificate created through HexSign's New certificate flow (we have the private key, so we can produce a fresh cert from the same key on demand).

Every provisioning profile, full stop. Apple has no concept of "renewing" a profile, so HexSign rebuilds it: same identifier, same devices, same name, fresh one-year expiry. If the profile pointed at a cert we renewed earlier in the same run, the new cert ID is swapped in automatically.

Development certificates default to off. They're typically rotated alongside team changes rather than on a schedule, so you can opt them in per-certificate from the detail page.

Turn it on or off for one cert or profile

Open the cert or profile detail page

From the Certificates or Profiles list, click the row. The list also shows a green "On" or grey "Off" chip in the Auto-renew column so you can scan the table at a glance.

Flip the Auto-renew switch

In the details card, toggle Auto-renewal. Enabling on a certificate requires a private key on file; if no key is present the switch is disabled with a tooltip explaining how to fix it. Profiles have no precondition.

Confirm the change in the audit log

Every toggle is recorded as certificate.auto_renew_updated or profile.auto_renew_updated, attributed to the user (or service credential) that made the change.

Enable auto-renewal on a cert you didn't create here

What the renewal job actually does

Selects every certificate flagged for auto-renewal whose expiration falls inside the 14-day window AND has a private key on file.

Resubmits the stored CSR to Apple to issue a fresh certificate of the same type.

Moves the private key's link from the old certificate to the new one, so the new cert immediately supports .p12 download.

Then walks every provisioning profile flagged for auto-renewal (plus any extra profile that referenced a cert just renewed), rebuilds it via Apple's API, and swaps the renewed cert IDs into the new profile.

Logs every outcome to the audit trail and emails owners + admins on each successful renewal and each failure.

Notifications you'll see

Certificate auto-renewed

Sent to org owners and admins when a cert is reissued. Includes the previous and new Apple IDs, the new expiry, and a link to the certificate.

Certificate auto-renewal failed

Sent when Apple rejected the issuance request, or HexSign couldn't reach Apple. The email surfaces Apple's exact reason (e.g. "Maximum number of certificates generated") so you can act on it.

Provisioning profile auto-renewed

Sent when a profile was rebuilt. Includes the previous and new Apple IDs and the new expiry. Download the fresh .mobileprovision from the dashboard and update your CI.

Provisioning profile auto-renewal failed

Sent when the rebuild couldn't complete. Common reasons: the underlying bundle ID was deleted, or every referenced cert was revoked.

Troubleshooting

"private_key_required" when enabling on a certificate

The cert doesn't have a private key on file. Upload one via the Signing key card on the detail page; the toggle unlocks automatically.

Auto-renewal fired but no new cert appears

Open the audit log filtered by certificate.auto_renew_failed. The Apple-side reason is recorded verbatim. Most common: the Apple Developer team has hit its certificate limit for that type. Revoke an unused old cert and the next day's run will succeed.

Profile auto-renewal kept retrying every day

The profile is within the 14-day window but the rebuild keeps failing (e.g. bundle ID deleted). Either fix the underlying cause or toggle the profile's Auto-renew off so the daily run stops trying.

Auto-renew certificates and provisioning profiles

What gets auto-renewed by default

When renewal kicks in

Turn it on or off for one cert or profile

Open the cert or profile detail page

Flip the Auto-renew switch

Confirm the change in the audit log

Enable auto-renewal on a cert you didn't create here

What the renewal job actually does

Notifications you'll see

Troubleshooting

Related articles

Rotate an expiring signing certificate without breaking releases

Upload a private key for a certificate created outside HexSign

Configure expiration alerts: email, chat, and incident tools

Regenerate or update a provisioning profile

Take control of your Apple Developer assets.

Auto-renew certificates and provisioning profiles

What gets auto-renewed by default

When renewal kicks in

Turn it on or off for one cert or profile

Open the cert or profile detail page

Flip the Auto-renew switch

Confirm the change in the audit log

Enable auto-renewal on a cert you didn't create here

What the renewal job actually does

Notifications you'll see

Troubleshooting

Related articles

Rotate an expiring signing certificate without breaking releases

Upload a private key for a certificate created outside HexSign

Configure expiration alerts: email, chat, and incident tools

Regenerate or update a provisioning profile

Take control of your Apple Developer assets.