diff --git a/buildchain/buildchain/salt_tree.py b/buildchain/buildchain/salt_tree.py
index cb80e36c94..ff3213eaed 100644
--- a/buildchain/buildchain/salt_tree.py
+++ b/buildchain/buildchain/salt_tree.py
@@ -573,6 +573,8 @@ def _get_parts(self) -> Iterator[str]:
     Path('salt/metalk8s/orchestrate/bootstrap/pre-downgrade.sls'),
     Path('salt/metalk8s/orchestrate/bootstrap/pre-upgrade.sls'),
 
+    Path('salt/metalk8s/orchestrate/certs/renew.sls'),
+
     Path('salt/metalk8s/orchestrate/downgrade/init.sls'),
     Path('salt/metalk8s/orchestrate/downgrade/precheck.sls'),
     Path('salt/metalk8s/orchestrate/downgrade/pre.sls'),
diff --git a/salt/metalk8s/orchestrate/certs/renew.sls b/salt/metalk8s/orchestrate/certs/renew.sls
new file mode 100644
index 0000000000..7f8662e40f
--- /dev/null
+++ b/salt/metalk8s/orchestrate/certs/renew.sls
@@ -0,0 +1,15 @@
+{%- set target_pillar = salt.saltutil.runner(
+  'pillar.show_pillar', kwarg={'minion': pillar.orchestrate.target}
+) %}
+{%- set sls = [] %}
+
+{%- for cert in target_pillar.certs_renewal %}
+  {%- if cert["name"] in pillar.orchestrate.certificates %}
+    {%- do sls.extend(cert["sls"]) %}
+  {%- endif %}
+{%- endfor %}
+
+Renew expired certificates:
+  salt.state:
+    - tgt: {{ pillar.orchestrate.target }}
+    - sls: {{ sls | unique | json }}