5.4. Renewing Certificates

This section explains how to use the different types of certificate renewal described in Section 3.4.1, “About Renewal”. You can use the methods described in this section to renew a certificate both with and without agent approval. To renew a certificate as a user without agent approval, use profiles that require the CMCUserSignedAuth authentication plug-in, and to renew with agent approval, use profiles that require the CMCAuth authentication plug-in. For further details about these plug-ins and in which profiles they are enabled by default, see Section 8.1.2, “CMC Authentication Plug-ins”.

5.4.1. Renewal Using the Same Key

Section 5.3.1, “The CMC Enrollment Process” describes how to request and issue a certificate using CMC. When a user submits the same CMC request created during this process again with the same enrollment profile, Certificate System renews the certificate with the same key.


For renewing a certificate as the user using the same key, the enrollment profile must contain the uniqueKeyConstraint entry with the params.allowSameKeyRenewal parameter set to True as described in Section 3.4.1, “About Renewal” and Section, “Renewing Using the Same Key”.

5.4.2. Renewal Using a New Key

To renew a certificate using a new key, follow the procedure described in Section 5.3.1, “The CMC Enrollment Process”. The process for renewal is the same as for a new enrollment. When you sign the request with the same signing certificate, the newly issued certificate contains the same subjectDN attribute as the signing certificate.