diff --git a/REFERENCE.md b/REFERENCE.md
index 08dd08a356..ce8c324d1f 100644
--- a/REFERENCE.md
+++ b/REFERENCE.md
@@ -772,7 +772,7 @@ Default value: `undef`
 
 ##### <a name="-apt--keyring--ensure"></a>`ensure`
 
-Data type: `Enum['present','absent']`
+Data type: `Enum['present','refreshed','absent']`
 
 Ensure presence or absence of the resource.
 
diff --git a/manifests/keyring.pp b/manifests/keyring.pp
index c1617e17d7..883cec117a 100644
--- a/manifests/keyring.pp
+++ b/manifests/keyring.pp
@@ -38,7 +38,7 @@
   Stdlib::Filemode $mode = '0644',
   Optional[Stdlib::Filesource] $source = undef,
   Optional[String[1]] $content = undef,
-  Enum['present','absent'] $ensure = 'present',
+  Enum['present','refreshed','absent'] $ensure = 'present',
 ) {
   ensure_resource('file', $dir, { ensure => 'directory', mode => '0755', })
   if $source and $content {
@@ -50,7 +50,7 @@
   $file = "${dir}/${filename}"
 
   case $ensure {
-    'present': {
+    /^(refreshed|present)$/: {
       file { $file:
         ensure  => 'file',
         mode    => $mode,
@@ -59,6 +59,15 @@
         source  => $source,
         content => $content,
       }
+
+      if $ensure == 'refreshed' {
+        exec { "check_keyring_${name}":
+          command => "rm ${file}",
+          onlyif  => "test -f ${file} && gpg --show-keys --list-options show-sig-expire ${file} | grep expired",
+          path    => $facts['path'],
+          notify  => File[$file],
+        }
+      }
     }
     'absent': {
       file { $file:
diff --git a/spec/acceptance/apt_keyring_spec.rb b/spec/acceptance/apt_keyring_spec.rb
index 4baf7b5b58..6fba79b748 100644
--- a/spec/acceptance/apt_keyring_spec.rb
+++ b/spec/acceptance/apt_keyring_spec.rb
@@ -25,4 +25,25 @@
       end
     end
   end
+
+  context 'when using refreshed GPG' do
+    # add expired GPG key
+    before(:each) do
+      run_shell('curl https://apt.puppetlabs.com/DEB-GPG-KEY-puppet | gpg --dearmor >/etc/apt/keyrings/puppetlabs-keyring.gpg')
+    end
+    keyring_pp = <<-MANIFEST
+      apt::keyring { 'puppetlabs-keyring.gpg':
+        ensure => 'refreshed',
+        source => 'https://apt.puppetlabs.com/keyring.gpg',
+      }
+    MANIFEST
+
+    it 'updates GPG key' do
+      retry_on_error_matching do
+        idempotent_apply(keyring_pp)
+        res = run_shell('gpg --show-keys --list-options show-sig-expire /etc/apt/keyrings/puppetlabs-keyring.gpg | grep expired')
+        expect(res.stdout.strip).to eq('')
+      end
+    end
+  end
 end
diff --git a/spec/defines/keyring_spec.rb b/spec/defines/keyring_spec.rb
index 6b3c65e1ef..7d300cf3dc 100644
--- a/spec/defines/keyring_spec.rb
+++ b/spec/defines/keyring_spec.rb
@@ -17,4 +17,21 @@
       it { is_expected.to compile }
     end
   end
+
+  describe 'ensure => refreshed' do
+    let :params do
+      {
+        ensure: 'refreshed',
+        name: 'puppetlabs.gpg',
+        source: 'http://apt.puppetlabs.com/pubkey.gpg',
+      }
+    end
+
+    it {
+      is_expected.to contain_exec('check_keyring_puppetlabs.gpg').with(
+      command: 'rm /etc/apt/keyrings/puppetlabs.gpg',
+      onlyif: 'test -f /etc/apt/keyrings/puppetlabs.gpg && gpg --show-keys --list-options show-sig-expire /etc/apt/keyrings/puppetlabs.gpg | grep expired',
+    )
+    }
+  end
 end