Re: How to renew a certificate programatically

From: dot (Stephane)
Date: 01/26/04


Date: Mon, 26 Jan 2004 14:01:08 -0800

Thanks again Krish

If i understand well, taking the smardcard example:
- when an admin request the certificate the first time for a user, he has to create a PKCS10 request containing the cert template, and sign it by the enrollment agent to get a PKCS7 request (what i developed),
- when the user certificate is about to expire, he can create a PKCS10 request containing the same cert template, and sign it using his current certificate to get the PKCS7 request.

Is that correct ?
PS : i can't use the xenroll control as i explained in the previous thread...

     
     ----- Krish Shenoy[MSFT] wrote: -----
     
     A renewal request is a request for a new certificate signed by the old
     certificate. It may use the same key or create a new key. The certificate
     must be current and valid (not revoked) for a renewal request to be
     successful.
     
     A renewal request submitted to an Enterprise CA may refer to a template that
     allows the caller unconditional enroll access to the template, OR to a
     template that allows the caller enroll access to the template only when the
     request is signed by an old certificate with the same subject, that was
     constructed from the same template.
     
     In the latter case, a registration agent (a human) may be required to obtain
     the initial certificate on behalf of the user after verifying the user's
     identity in person, but auto-enroll can perform the renewal before the old
     certificate expires, without any registration agent or admin involvement.
     
     This is often how corporate smart cards are managed, for example.
     
     You can use the RenewalCertificate property in the xenroll interface to
     renew a certificate.
     
     
     --
     Krish Shenoy[MSFT]
     This posting is provided "AS IS" with no warranties, and confers no rights.
     "Stephane Vinsot" <stephane (dot) vinsot (at) enatel (dot) com> wrote in
     message news:18891F3D-9A45-46A7-AEBC-338CCA60C27A@microsoft.com...
> Hi,
>> I managed to request and get some certificates that i put on my smartcard
     using certificate services controls and APIs.
> What is the difference between certificate request and certificate renewal
     procedure ?
> Should i perform the same operations just keeping the already generated
     keys, or is there a simplified way of renewing ?
>> Thanks a lot
     
     
     



Relevant Pages

  • Re: How to renew a certificate programmicaly
    ... Name 2 extension must contain a UPN entry, ... Please notice that the application> policy restriction is "Enrollment Agent" and that the "old certificate" does> not have this application policy. ... > I cannot see this template in the MMC snapin, I guess it is because it has> "X number of authotized signatures" and "Subject details supply in request". ...
    (microsoft.public.platformsdk.security)
  • Re: Problems requesting computer certificates on an issuing CA
    ... The exact permissions on my template are: ... I tried to manually enroll for a computer certificate based on ... CA allows the computers to request certificates. ...
    (microsoft.public.windows.server.security)
  • Re: Certificates for l2tp VPN
    ... "IPSec offline request" template, the certificate is in the Local ... canīt install the correct certificate to make it work. ...
    (microsoft.public.win2000.security)
  • Re: Certificate Renewal questions
    ... A renewal request is a request for a new certificate signed by the old ... A renewal request submitted to an Enterprise CA may refer to a template that ...
    (microsoft.public.platformsdk.security)
  • Re: Computer and User Certificates Issues
    ... You created a custom V2 template but is this CA running Windows Server ... > Can you request any certificate at all via the mmc snapin for either user ... > users have the allow permission for request certificates. ... I have also tried manually enrolling for a computer certificate ...
    (microsoft.public.security)