3.4. Configuring Profiles to Enable Renewal

Renewing a certificate regenerates the certificate using the same public key as the original certificate. Renewing a certificate can be preferable to simply generating new keys and installing new certificates; for example, if a new CA signing certificate is created, all of the certificates which that CA issued and signed must be reissued. If the CA signing certificate is renewed, than all of the issued certificates are still valid. A renewed certificate is identical to the original, only with an updated validity period and expiration date.
This section discusses how to set up profiles for renewals.

3.4.1. About Renewal

A renewed certificate is identical to the original certificate, which makes renewing certificates a much simpler and cleaner option for handling the expiration of many kinds of certificates, especially CA signing certificates. The Renewal Process

There are two methods of renewing a certificate. Regenerating the certificate takes the original key, profile, and request of the certificate and recreates a new certificate with a new validity period and expiration date using the identical key. Re-keying a certificate submits a certificate request through the original profile with the same information, so that a new key pair is generated.
A profile that allows renewal is also often accompanied by the renewGracePeriodConstraint entry. For example:
policyset.cmcUserCertSet.10.constraint.name=Renewal Grace Period Constraint
policyset.cmcUserCertSet.10.default.name=No Default Renewing Using the Same Key
A profile that allows the same key to be submitted for renewal has the allowSameKeyRenewal parameter set to true in the uniqueKeyConstraint entry. For example:
policyset.cmcUserCertSet.9.constraint.name=Unique Key Constraint
policyset.cmcUserCertSet.9.default.name=No Default Renewal Using a New Key
To renew a certificate with a new key, use the same profile with a new key. Certificate System uses the subjectDN from the user signing certificate used to sign the request for the new certificate.