2.3. Configuring Profiles to Enable Renewal

Renewing a certificate regenerates the certificate using the same public key as the original certificate. Renewing a certificate can be preferable to simply generating new keys and installing new certificates; for example, if a new CA signing certificate is created, all of the certificates which that CA issued and signed must be reissued. If the CA signing certificate is renewed, than all of the issued certificates are still valid. A renewed certificate is identical to the original, only with an updated validity period and expiration date.
This section discusses renewing user certificates and creating renewal profiles. For information on renewing Certificate System subsystem certificates, see Chapter 16, Managing Subsystem Certificates.

2.3.1. About Renewal

A renewed certificate is identical to the original certificate, which makes renewing certificates a much simpler and cleaner option for handling the expiration of many kinds of certificates, especially CA signing certificates.

2.3.1.1. The Renewal Process

There are two methods of renewing a certificate. Regenerating the certificate takes the original key, profile, and request of the certificate and recreates a new certificate with a new validity period and expiration date using the identical key. Re-keying a certificate submits a certificate request through the original profile with the same information, so that a new key pair is generated.
By default, Certificate System supports regenerating user certificates with the same keys. In this kind of renewal, the CA re-creates the existing user certificate based on its previous configuration, such as its public key and defaults, constraints, and other settings.
When the user submits a renewal request, they provide some kind of information to identify which certificate to renew. This can be the serial number or the certificate itself.
Renewal Flow

Figure 2.1. Renewal Flow

The server identifies the certificate and then maps the renewal request to the initial certificate request entry in the CA database. If more than one certificate matches the renewal request, then the most recent certificate entry is used. (The renewal request must be submitted to the same CA which issued the original certificate. This is the only way to map the serial number to the appropriate certificate.)
The certificate entry contains, along with the original certificate, the original profile used to submit the request, its public key, and its extensions. Since the defaults, constraints, and other settings must be the same in the new certificate as in the old, it is important that the renewal process accesses the original enrollment profile, with the original information.

Example 2.2. Certificate Request Entry

 dn: cn=54,ou=certificateRepository, ou=ca, dc=server.example.com-pki-ca
objectClass: top
objectClass: certificateRecord
serialno: 0254
metaInfo: inLdapPublishDir:true
metaInfo: profileId:caUserCert
metaInfo: requestId:58
notBefore: 20090624082117Z
notAfter: 20091221072117Z
duration: 1115552000000
subjectName: UID=jsmith,E=jsmith@example.com,CN=John Smith,OU=engineering,OU=content,OU=services,OU=people,C=US
publicKeyData:: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAOhd4g9Fluurl3mtUzEKmilsGolBKr/sEvGpPZecPpcFxfkxwfvfjl6ycEUcxXJXEhdSQ+ZPdCUwakSBhn15Uz8CAwEAAQ==
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.35
extension: 2.5.29.17
extension: 2.5.29.15
userCertificate;binary:: MIIDXzCCAkegAwIBAgIBNjANBgkqhkiG9w0BAQUFADBAMR4wHAYD
 VQQKExVSZWRidWRjb21wdXRlciBEb21haW4xHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0
 eTAeFw0wOTA2MjQxMzIxMTdaFw0wOTEyMjExMzIxMTdaMIGrMQswCQYDVQQGEwJVUzEPMA0GA1UE
 CxMGcGVvcGxlMREwDwYDVQQLEwhzZXJ2aWNlczEQMA4GA1UECxMHY29udGVudDEUMBIGA1UECxML
 ZW5naW5lZXJpbmcxFDASBgNVBAMTC0Rlb24gTGFja2V5MSEwHwYJKoZIhvcNAQkBFhJkbGFja2V5
 QHJlZGhhdC5jb20xFzAVBgoJkiaJk/IsZAEBEwdkbGFja2V5MFwwDQYJKoZIhvcNAQEBBQADSwAw
 SAJBAOhd4g9Fluurl3mtUzEKmilsGolBKr/sEvGpPZecPpcFxfkxwfvfjl6ycEUcxXJXEhdSQ+ZP
 dCUwakSBhn15Uz8CAwEAAaOBvzCBvDAfBgNVHSMEGDAWgBS7F3+uS3y2ZNesUZLcB/ZTwo9LIjBL
 BggrBgEFBQcBAQQ/MD0wOwYIKwYBBQUHMAGGL2h0dHA6Ly93aWxidXIucmVkYnVkY29tcHV0ZXIu
 bG9jYWw6OTE4MC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIF4DAdBgNVHSUEFjAUBggrBgEFBQcDAgYI
 KwYBBQUHAwQwHQYDVR0RBBYwFIESZGxhY2tleUByZWRoYXQuY29tMA0GCSqGSIb3DQEBBQUAA4IB
 AQB1Jig+3mucNrvhl009ZWshzKSZN7d1rGP+SsYCNTk9KzEhU/lCkQnOLbrAMDE7gBKLkDvpm+4y
 ud5qzHC6+tCR+L0H6JCm1Gufv5VE4yIN+dLPcO4Wr8ZCIgt2Rr3aR3FqE0tqUXh2RDmq+EvfxBza
 FOTQpwz2EW1ppIXjKNZpi9+3enjMg0rc/CsT+c1rKeXJzo5mD6n+VmET8ZilvSgyq6jt9KgqeVfM
 Cfl+ypQ2u9EW6a0sYflw+vPOkcXqRUnKfKjn1lq8CALrGDG71pAlHzXQNMB0YWlKKywhdMfbHPN8
 FdFHC6Ro5Ny01DDRBF+y3Iqc3flLFJt1Ya3c8hEc
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.5
dateOfCreate: 20090624082244Z
dateOfModify: 20090624082244Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: admin
cn: 54
The original certificate request entry also contains the original validity period of the certificate. The certificate profile can contain the grace period for renewing the certificate, the time before and after the expiration date when renewal is allowed. If a certificate is outside of that period, either way, the renewal request is automatically rejected.
While renewal reissues an expired certificate, it does not reissue a revoked certificate. Only an otherwise valid certificate can be renewed.
The server then retrieves the public key from the entry, along with the original certificate request. Using the key and the original certificate request, the CA issues a new certificate, with a new validity period.

Note

The renewal process only renews one certificate at a time.
User certificates are frequently issued in pairs, such as encryption and signing certificates, and the initial enrollment issues both certificates at the same time. However, the renewal process takes a single serial number or certificate as its input, so it can only renew one certificate in one step.
To renew both certificates in a certificate pair, each one has to be renewed individually.

2.3.1.2. Renewal Types in Certificate System

As with any certificate request, a renewal request has to be approved before the CA will issue the new certificate. Certificate System has three renewal types, depending on the authorization method used to verify the requester, and any of the three types can be used to renew any kind of certificate:
  • Agent-based renewal, where the agent manually approves the request
  • Directory-based renewal, where the requester authenticates to an LDAP directory
  • Certificate-based renewal, where the certificate stored in the browser's database is used to authenticate the requester
Authentication is covered in Chapter 8, Authentication for Enrolling Certificates.

Note

Email notifications can be configured for renewal requests; this is described in Section 10.2, “Setting up Automated Notifications for the CA” and Section 11.3.3, “Configuration Parameters of certRenewalNotifier”.

2.3.2. Creating Custom Renewal Profiles

Certificate renewal regenerates a certificate using its original public key, certificate extensions and constraints, and subject name. A renewed certificate is identical to the original, except that it has a new expiration date.
When a certificate is renewed, it has to be renewed using a renewal profile that corresponds to the initial enrollment profile.

Note

Be careful when you update an existing profile. If you update an enrollment profile, renewed certificates can contain different fields than the original certificate.
Deleting or renaming a profile can also cause renewal to fail, although re-submitting the original CSR through the updated or renamed profile can still achieve the same effect.
In general, you can use enrollment profiles for renewal, if the renewal is initiated through a renewal profile.

2.3.2.1. Default Renewal Profiles

Certificate System contains three default renewal profiles for renewing user certificates.

Table 2.3. Renewal Profiles

Renewal Profile Type
caDirUserRenewal.cfg Directory-based
caManualRenewal.cfg Agent-based
caSSLClientSelfRenewal.cfg Certificate-based
caTokenUserAuthKeyRenewal Smart card
caTokenUserEncryptionKeyRenewal Smart card
caTokenUserSigningKeyRenewal Smart card

2.3.2.2. Creating the Renewal Profile

A renewal profile is much simpler than a standard enrollment profile because it does not need to define any defaults, extensions, or constraints; all of that information is already contained in the original certificate.
What a renewal profile does define is the authentication and authorization methods, the input to use to locate the original certificate, and the output of the regenerated certificate.
The renewal option, should be set to true: 
renewal=true
The grace period settings are inherited from the enrollment profile. For details, see Section 2.3.2.3, “Setting a Renewal Grace Period in an Enrollment Profile”.
The input depends on the way that the certificate renewal request is authorized. For agent-approved and directory-based authorization, the identity of the requester is verified independently. Then the specified certificate and subsequently the original request which contains the original enrollment profile id are pulled up using its serial number: 
input.i1.class_id=serialNumRenewInputImpl
For agent-based authentication, no authorization method is required; the request will be manually reviewed and approved by a CA agent. In this case, the auth.instance_id parameter is empty.

Example 2.3. Agent-Based Renewal Profile

 desc=This certificate profile is for renewing certificates to be approved manually by agents.
 visible=true
 enable=true
 enableBy=admin
 renewal=true  
 auth.instance_id=  
 name=Renew certificate to be manually approved by agents
 input.list=i1
 input.i1.class_id=serialNumRenewInputImpl  
 outputlist=o1
 output.o1.class_id=certOutputImpl
For directory-based authentication, the requester must log into an LDAP directory and authenticate against that database, so the auth.instance_id parameter must be set to use directory authentication.

Example 2.4. Directory-Based Renewal Profile

 desc=This certificate profile is for renewing a certificate by serial number by using directory based authentication.
 visible=true
 enable=true
 enableBy=admin
 renewal=true  
 auth.instance_id=UserDirEnrollment  
 authz.acl=user_origreq="auth_token.uid"
 name=Directory-Authenticated User Certificate Self-Renew profile
 input.list=i1
 input.i1.class_id=serialNumRenewInputImpl  
 output.list=o1
 output.o1.class_id=certOutputImpl

Note

Directory-based renewal works even if the UidPwdDir plug-in has optional fields set to configure things such as the connection or the DN pattern. This is described in Section 8.2.1, “Setting up Directory-Based Authentication”.
However, for certificate-based renewal, the certificate is presented directly by the browser being used to open the renewal forms, and that certificate is checked in the client database. The certificate is used both to verify the identity of the requester and to get the certificate information for renewal. For certificate-based renewal, it is not necessary to specify a serial number input; instead, set the authentication module to use certificate-based authentication. 
auth.instance_id=SSLclientCertAuth

Example 2.5. Certificate-Based Renewal Profile

 desc=This certificate profile is for renewing SSL client certificates.
 visible=true
 enable=true
 enableBy=admin
 renewal=true  
 auth.instance_id=SSLclientCertAuth  
 name=Self-renew user SSL client certificates
 output.list=o1
 output.o1.class_id=certOutputImpl

2.3.2.3. Setting a Renewal Grace Period in an Enrollment Profile

Red Hat recommends setting a grace period when using an enrollment profile for renewing a certificate through a renewal profile.
For details about creating a custom profile, see Section 2.2, “Setting up Certificate Profiles”.
To configure a grace period, update the /var/lib/pki/instance_name/ca/profiles/enrollment_profile.cfg file: 
policyset.userCertSet.list=1,10,2,3,4,5,6,7,8,9
...
policyset.userCertSet.10.constraint.class_id=renewGracePeriodConstraintImpl
policyset.userCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.userCertSet.10.constraint.params.renewal.graceBefore=30
policyset.userCertSet.10.constraint.params.renewal.graceAfter=30
policyset.userCertSet.10.default.class_id=noDefaultImpl
policyset.userCertSet.10.default.name=No Default
The renewal profile will inherit these parameters.
For further details about the renewal grace period, see Section B.2.9, “Renewal Grace Period Constraint”.