diff --git a/command/ca/rekey.go b/command/ca/rekey.go
index cd58fbf7d..befd33bf2 100644
--- a/command/ca/rekey.go
+++ b/command/ca/rekey.go
@@ -340,7 +340,10 @@ func rekeyCertificateAction(ctx *cli.Context) error {
 		// Force is always enabled when daemon mode is used
 		ctx.Set("force", "true")
 		next := nextRenewDuration(leaf, expiresIn, rekeyPeriod)
-		return renewer.Daemon(outCert, next, expiresIn, rekeyPeriod, afterRekey)
+		rekeyFunc := func() error {
+			return renewer.RekeyAndWrite(ctx, outCert, outKey, givenPrivate, passFile, kmsURI)
+		}
+		return renewer.Daemon(outCert,next,expiresIn,rekeyPeriod, afterRekey, rekeyFunc)
 	}
 
 	// Do not rekey if (cert.notAfter - now) > (expiresIn + jitter)
@@ -353,27 +356,7 @@ func rekeyCertificateAction(ctx *cli.Context) error {
 		}
 	}
 
-	var signer crypto.Signer
-	if givenPrivate == "" {
-		kty, crv, size, err := utils.GetKeyDetailsFromCLI(ctx, false, "kty", "curve", "size")
-		if err != nil {
-			return err
-		}
-		signer, err = keyutil.GenerateSigner(kty, crv, size)
-		if err != nil {
-			return err
-		}
-	} else {
-		opts := []pemutil.Options{pemutil.WithFilename(givenPrivate)}
-		if passFile != "" {
-			opts = append(opts, pemutil.WithPasswordFile(passFile))
-		}
-		signer, err = cryptoutil.CreateSigner(kmsURI, givenPrivate, opts...)
-		if err != nil {
-			return err
-		}
-	}
-	if _, err := renewer.Rekey(signer, outCert, outKey, ctx.IsSet("out-key") || givenPrivate == ""); err != nil {
+	if err := renewer.RekeyAndWrite(ctx, outCert, outKey, givenPrivate, passFile, kmsURI); err != nil {
 		return err
 	}
 
@@ -386,3 +369,29 @@ func rekeyCertificateAction(ctx *cli.Context) error {
 	}
 	return afterRekey()
 }
+func (r *renewer) RekeyAndWrite(ctx *cli.Context, outCert, outKey, givenPrivate, passFile, kmsURI string) error {
+	signer, err := generateSigner(ctx, givenPrivate, passFile, kmsURI)
+	if err != nil {
+		return err
+	}
+	if _, err := r.Rekey(signer, outCert, outKey, ctx.IsSet("out-key") || givenPrivate == ""); err != nil {
+		return err
+	}
+	return nil
+}
+
+func generateSigner(ctx *cli.Context, givenPrivate, passFile, kmsURI string) (crypto.Signer, error) {
+	if givenPrivate == "" {
+		kty, crv, size, err := utils.GetKeyDetailsFromCLI(ctx, false, "kty", "curve", "size")
+		if err != nil {
+			return nil, err
+		}
+		return keyutil.GenerateSigner(kty, crv, size)
+	} else {
+		opts := []pemutil.Options{pemutil.WithFilename(givenPrivate)}
+		if passFile != "" {
+			opts = append(opts, pemutil.WithPasswordFile(passFile))
+		}
+		return cryptoutil.CreateSigner(kmsURI, givenPrivate, opts...)
+	}
+}
diff --git a/command/ca/renew.go b/command/ca/renew.go
index c2d7eaad3..c61be9af0 100644
--- a/command/ca/renew.go
+++ b/command/ca/renew.go
@@ -325,7 +325,7 @@ func renewCertificateAction(ctx *cli.Context) error {
 		// Force is always enabled when daemon mode is used
 		ctx.Set("force", "true")
 		next := nextRenewDuration(cert.Leaf, expiresIn, renewPeriod)
-		return renewer.Daemon(outFile, next, expiresIn, renewPeriod, afterRenew)
+		return renewer.Daemon(outFile, next, expiresIn, renewPeriod, afterRenew, nil)
 	}
 
 	// Do not renew if (cert.notAfter - now) > (expiresIn + jitter)
@@ -578,7 +578,7 @@ func (r *renewer) RenewAndPrepareNext(outFile string, expiresIn, renewPeriod tim
 	return next, nil
 }
 
-func (r *renewer) Daemon(outFile string, next, expiresIn, renewPeriod time.Duration, afterRenew func() error) error {
+func (r *renewer) Daemon(outFile string, next, expiresIn, renewPeriod time.Duration, afterRenew func() error, rekeyFunc func() error) error {
 	// Loggers
 	infoLog := log.New(os.Stdout, "INFO: ", log.LstdFlags)
 	errLog := log.New(os.Stderr, "ERROR: ", log.LstdFlags)
@@ -600,6 +600,11 @@ func (r *renewer) Daemon(outFile string, next, expiresIn, renewPeriod time.Durat
 				} else if err := afterRenew(); err != nil {
 					errLog.Println(err)
 				}
+				if rekeyFunc != nil {
+					if err := rekeyFunc(); err != nil {
+						errLog.Println(err)
+					}
+				}
 			case syscall.SIGINT, syscall.SIGTERM:
 				return nil
 			}
@@ -609,6 +614,11 @@ func (r *renewer) Daemon(outFile string, next, expiresIn, renewPeriod time.Durat
 			} else if err := afterRenew(); err != nil {
 				errLog.Println(err)
 			}
+			if rekeyFunc != nil {
+				if err := rekeyFunc(); err != nil {
+					errLog.Println(err)
+				}
+			}
 		}
 	}
 }