Re: Certificate Renewal questions

From: Krish Shenoy[MSFT] (kshenoy_at_online.microsoft.com)
Date: 01/26/04


Date: Mon, 26 Jan 2004 13:19:29 -0800

More info from Vic

A renewal request is a request for a new certificate signed by the old
certificate. It may use the same key or create a new key. The certificate
must be current and valid (not revoked) for a renewal request to be
successful.

A renewal request submitted to an Enterprise CA may refer to a template that
allows the caller unconditional enroll access to the template, OR to a
template that allows the caller enroll access to the template only when the
request is signed by an old certificate with the same subject, that was
constructed from the same template.

In the latter case, a registration agent (a human) may be required to obtain
the initial certificate on behalf of the user after verifying the user's
identity in person, but auto-enroll can perform the renewal before the old
certificate expires, without any registration agent or admin involvement.

This is often how corporate smart cards are managed, for example.

A standard (non-renewal) request is a new request for a new certificate that
does not relate to any existing certificate, except that it may reuse a key
from an old certificate, or it may create a new key.

A non-renewal request submitted to an Enterprise CA will suffice when it
refers to a template that allows the caller unconditional enroll access to
the template.

-- 
Krish Shenoy[MSFT]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Krish Shenoy[MSFT]" <kshenoy@online.microsoft.com> wrote in message
news:%23ohUh3G4DHA.2380@TK2MSFTNGP11.phx.gbl...
> In the case of request with same key you have the option of selecting
> Advanced page where you can choose a different certificate template
whereas
> for renew with same key you cannot choose the template.
>
>
>
> -- 
> Krish Shenoy[MSFT]
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> "Steve" <stephen.h.price@intel.com> wrote in message
> news:bumrub$dc2$1@news01.intel.com...
> > I need some help in understanding the mechanics of certificate renewal.
I
> > have two questions:
> >
> > In the Certificates MMC console, when I right-click on a cert and go to
> All
> > Tasks I see the following tasks:
> > Request with new key
> > Request with same key
> > Renew with new key
> > Renew with same key
> >
> > I've tried both a Request with same key and a Renew with same key on a
> valid
> > certificate.  The results seem to be the same.  In both cases I get a
cert
> > with a different serial number so the results seem to be identical.
> >
> > 1. What is the difference between the Request task and the Renew task?
> >
> > When I right-click on an expired cert and go to All Tasks, I get the
same
> > list of tasks as above, however, when I try to Renew with same key, I
get
> > the following error:
> >
> > "The certification authority denied the request.  A required certficiate
> is
> > not within its validity period when verifying against the current system
> > clock or the timestamp in the signed file."
> >
> > A Request with same key does go through successfully.
> >
> > 2. Why does  'Renew with same key' not work for an expired certificate
> while
> > a 'Request with same key' does work?
> >
> > Thanks,
> >
> > Steve
> >
> >
>
>


Relevant Pages

  • Re: How to renew a certificate programmicaly
    ... Name 2 extension must contain a UPN entry, ... Please notice that the application> policy restriction is "Enrollment Agent" and that the "old certificate" does> not have this application policy. ... > I cannot see this template in the MMC snapin, I guess it is because it has> "X number of authotized signatures" and "Subject details supply in request". ...
    (microsoft.public.platformsdk.security)
  • Re: Problems requesting computer certificates on an issuing CA
    ... The exact permissions on my template are: ... I tried to manually enroll for a computer certificate based on ... CA allows the computers to request certificates. ...
    (microsoft.public.windows.server.security)
  • Re: Certificates for l2tp VPN
    ... "IPSec offline request" template, the certificate is in the Local ... canīt install the correct certificate to make it work. ...
    (microsoft.public.win2000.security)
  • Re: Computer and User Certificates Issues
    ... You created a custom V2 template but is this CA running Windows Server ... > Can you request any certificate at all via the mmc snapin for either user ... > users have the allow permission for request certificates. ... I have also tried manually enrolling for a computer certificate ...
    (microsoft.public.security)
  • Re: Certification Authority cannot use certificate template
    ... certificate request wizard in IIS Manager. ... Also, at the CA, ensure that the Web server certificate template is ...
    (microsoft.public.security)