Re: Certificate Renewal questions
From: Krish Shenoy[MSFT] (kshenoy_at_online.microsoft.com)
Date: Mon, 26 Jan 2004 13:19:29 -0800
More info from Vic
A renewal request is a request for a new certificate signed by the old
certificate. It may use the same key or create a new key. The certificate
must be current and valid (not revoked) for a renewal request to be
A renewal request submitted to an Enterprise CA may refer to a template that
allows the caller unconditional enroll access to the template, OR to a
template that allows the caller enroll access to the template only when the
request is signed by an old certificate with the same subject, that was
constructed from the same template.
In the latter case, a registration agent (a human) may be required to obtain
the initial certificate on behalf of the user after verifying the user's
identity in person, but auto-enroll can perform the renewal before the old
certificate expires, without any registration agent or admin involvement.
This is often how corporate smart cards are managed, for example.
A standard (non-renewal) request is a new request for a new certificate that
does not relate to any existing certificate, except that it may reuse a key
from an old certificate, or it may create a new key.
A non-renewal request submitted to an Enterprise CA will suffice when it
refers to a template that allows the caller unconditional enroll access to
-- Krish Shenoy[MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. "Krish Shenoy[MSFT]" <firstname.lastname@example.org> wrote in message news:%23ohUh3G4DHA.2380@TK2MSFTNGP11.phx.gbl... > In the case of request with same key you have the option of selecting > Advanced page where you can choose a different certificate template whereas > for renew with same key you cannot choose the template. > > > > -- > Krish Shenoy[MSFT] > This posting is provided "AS IS" with no warranties, and confers no rights. > "Steve" <email@example.com> wrote in message > news:firstname.lastname@example.org... > > I need some help in understanding the mechanics of certificate renewal. I > > have two questions: > > > > In the Certificates MMC console, when I right-click on a cert and go to > All > > Tasks I see the following tasks: > > Request with new key > > Request with same key > > Renew with new key > > Renew with same key > > > > I've tried both a Request with same key and a Renew with same key on a > valid > > certificate. The results seem to be the same. In both cases I get a cert > > with a different serial number so the results seem to be identical. > > > > 1. What is the difference between the Request task and the Renew task? > > > > When I right-click on an expired cert and go to All Tasks, I get the same > > list of tasks as above, however, when I try to Renew with same key, I get > > the following error: > > > > "The certification authority denied the request. A required certficiate > is > > not within its validity period when verifying against the current system > > clock or the timestamp in the signed file." > > > > A Request with same key does go through successfully. > > > > 2. Why does 'Renew with same key' not work for an expired certificate > while > > a 'Request with same key' does work? > > > > Thanks, > > > > Steve > > > > > >