A certificate manager for a multi-tenant environment can be authorized to automatically renew a certificate for a customer of the environment. Prior to the end of the validity period of the certificate, the certificate manager can obtain a new certificate on behalf of the customer and notify the customer that the certificate is ready to be deployed. The certificate will not be deployed until the customer releases the hold on the certificate. If no such instruction is received, notifications can be sent to the customer about the upcoming end of the validity period, and those notifications can be sent with increasing frequency. If no notification is received before the validity period is to expire, the certificate manager can automatically deploy the certificate to ensure that a valid certificate remains in place for the customer on the associated resource(s).