diff --git a/roles/generate-cert/defaults/main.yml b/roles/generate-cert/defaults/main.yml
index b4bded4..db793c5 100644
--- a/roles/generate-cert/defaults/main.yml
+++ b/roles/generate-cert/defaults/main.yml
@@ -3,3 +3,5 @@ key_usage:
   - digitalSignature
   - keyEncipherment
 validity_duration: "+365d"
+time_before_expiration_for_renewal: "+30d" # need a better name
+force_renewal: no
diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml
index ef83c30..31a1a2a 100644
--- a/roles/generate-cert/tasks/main.yml
+++ b/roles/generate-cert/tasks/main.yml
@@ -9,6 +9,20 @@
     path: "{{ directory }}/{{ cname }}.key"
   register: key_file
 
+- name: Test if the cert already exist
+  stat:
+    path: "{{ directory }}/{{ cname }}.crt"
+  register: cert_file
+
+- name: Test if we need to renew the certificate
+  openssl_certificate_info:
+    path: "{{ directory }}/{{ cname }}.crt"
+    valid_at:
+      renewal: "{{ time_before_expiration_for_renewal }}"
+  register: validity
+  when: cert_file.stat.exists
+
+# TODO: Use a block to have only one `when`
 - name: Generate private key
   become: false
   openssl_privatekey:
@@ -16,7 +30,7 @@
     mode: u=rw,g=,o=
     size: "{{ key_size | default(omit) }}"
   delegate_to: localhost
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 # TODO: add a revocation methode, most probably crl, with crl_distribution_points
 - name: Generate a Certificate Signing Request
@@ -38,7 +52,7 @@
     key_usage_critical: yes
     subject_alt_name: "{{ subject_alt_name | default(omit) }}"
   delegate_to: localhost
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 - name: Put the CA in a file
   become: false
@@ -46,7 +60,7 @@
     content: "{{ ca_cert }}"
     dest: "/tmp/ansible_hacky_pki_ca.crt"
   delegate_to: localhost
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 - name: Put the CA key in a file
   become: false
@@ -55,7 +69,7 @@
     dest: "/tmp/ansible_hacky_pki_ca.key"
     mode: u=rw,g=,o=
   delegate_to: localhost
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 - name: Sign the certificate
   become: false
@@ -68,7 +82,7 @@
     ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
     provider: ownca
   delegate_to: localhost
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 - name: Send private key to the server
   copy:
@@ -77,7 +91,7 @@
     owner: "{{ owner | default('root') }}"
     group: "{{ group | default('root') }}"
     mode: "{{ key_mode | default('u=rw,g=,o=') }}"
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 - name: Send certificate to the server
   copy:
@@ -86,7 +100,7 @@
     owner: "{{ owner | default('root') }}"
     group: "{{ group | default('root') }}"
     mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 # Clean up
 - name: Remove the local cert key
@@ -95,7 +109,7 @@
     path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
     state: absent
   delegate_to: localhost
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 - name: Remove the CSR
   become: false
@@ -103,7 +117,7 @@
     path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
     state: absent
   delegate_to: localhost
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 - name: Remove the local certificate
   become: false
@@ -111,7 +125,7 @@
     path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
     state: absent
   delegate_to: localhost
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 - name: Remove the CA certificate
   become: false
@@ -119,7 +133,7 @@
     path: /tmp/ansible_hacky_pki_ca.crt
     state: absent
   delegate_to: localhost
-  when: not key_file.stat.exists
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
 
 - name: Remove the CA key
   become: false