4.8. Renewing Certificates

Almost any certificate issued by Certificate System can be renewed (assuming the original issuing profile allows it). Renewing certificates rather than requesting new certificates can be one way of smoothly transitioning between subsystem certificates as they expire, and is especially useful for CA signing certificates.
Certificate System subsystem and user certificates, as well as end user certificates, can be renewed by resubmitting the original certificate request using the original keys. The renewal process can be done by accessing the end user forms or by generating a new certificate request using the old keys with the certutil command.
There are two methods for renewing certificates in the end users forms. Agent-approved and directory-based renewal require submitting the serial number for the certificate, and the CA draws the information from its current certificate directory entry. Certificate-based renewal uses the certificate in the browser database to regenerate the new certificate, which makes it common for user certificate renewals.


Encryption and signing certificates are created in a single step. However, the renewal process only renews one certificate at a time.
To renew both certificates in a certificate pair, each one has to be renewed individually.

4.8.1. Agent-Approved or Directory-Based Renewals

Sometimes, a certificate renewal request has to be manually approved, either by a CA agent or by your providing login information for the user directory.
  1. Open the end-entities services page for the CA which issued the certificate (or its clone).
  2. Click the name of the renewal form to use.
  3. Enter the serial number of the certificate to renew. This can be in decimal or hexadecimal form.
  4. Click the renew button.
  5. The request is submitted. For directory-based renewals, the renewed certificate is automatically returned. Otherwise, the renewal request will be approved by an agent.

4.8.2. Certificate-Based Renewal

Some user certificates are stored directly in your browser, so some renewal forms will simply check your browser certificate database for a certificate to renew. If a certificate can be renewed, then the CA automatically approved and reissued it.


If the certificate which is being renewed has already expired, then it probably cannot be used for certificate-based renewal. The browser client may disallow any SSL client authentication with an expired certificate.
In that case, the certificate must be renewed using one of the other renewal methods.
  1. Open the end-entities services page for the CA which issued the certificate (or its clone).
  2. Click the name of the renewal form to use.
  3. There is no input field, so click the Renew button.
  4. When prompted, select the certificate to renew.
  5. The request is submitted and the renewed certificate is automatically returned.

4.8.3. Re-keying Certificates

Re-keying a certificate resubmits the original certificate request to the original profile, but generates a new key pair.
Re-keying a certificate is done using the certutil command to redo the certificate request and then is submitted using the regular end-entities forms.
  1. List the certificates for the instance.
    certutil -L -d /var/lib/pki/instance_name/alias
    Certificate Authority - Example Domain    CT,c,
    subsystemCert cert-instance_name              u,u,u
    Server-Cert cert-instance_name                u,u,u
  2. Delete the original certificate from the database.
    certutil -D -n "subsystemCert cert-instance_name" -d /var/lib/pki/instance_name/alias
  3. Generate a new key and request for the new certificate.
    certutil -d /var/lib/pki/instance_name/alias -R -s "CN=server.example.com,OU=pki-ca,O=Example Domain pki-ca" -o newcert.req -h "NSS Certificate DB" -a
  4. Submit and approve the certificate, as described in Section 4.8.1, “Agent-Approved or Directory-Based Renewals”.


    In the renewal form, use the same serial number as the original certificate.
  5. Import the new certificate into the subsystem's certificate database.
    certutil -A -d /var/lib/pki/instance_name/alias -n "subsystemCert cert-instance_name" -t "u,u,u" -i /tmp/newcert.cert