Menu Close

3.4. Configuring Profiles to Enable Renewal

This section discusses how to set up profiles for certificate renewals. For more information on how to renew certificates, see Section 5.5, “Renewing Certificates”.
A profile that allows renewal is often accompanied by the renewGracePeriodConstraint entry. For example:
policyset.cmcUserCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.cmcUserCertSet.10.constraint.params.renewal.graceBefore=30
policyset.cmcUserCertSet.10.constraint.params.renewal.graceAfter=30
policyset.cmcUserCertSet.10.default.class_id=noDefaultImpl
policyset.cmcUserCertSet.10.default.name=No Default

3.4.1. Renewing Using the Same Key

A profile that allows the same key to be submitted for renewal has the allowSameKeyRenewal parameter set to true in the uniqueKeyConstraint entry. For example:
policyset.cmcUserCertSet.9.constraint.class_id=uniqueKeyConstraintImpl
policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint
policyset.cmcUserCertSet.9.constraint.params.allowSameKeyRenewal=true
policyset.cmcUserCertSet.9.default.class_id=noDefaultImpl
policyset.cmcUserCertSet.9.default.name=No Default

3.4.2. Renewal Using a New Key

To renew a certificate with a new key, use the same profile with a new key. Certificate System uses the subjectDN from the user signing certificate used to sign the request for the new certificate.