Re: How to renew a certificate programatically
From: dot (Stephane)
Date: Mon, 26 Jan 2004 14:01:08 -0800
Thanks again Krish
If i understand well, taking the smardcard example:
- when an admin request the certificate the first time for a user, he has to create a PKCS10 request containing the cert template, and sign it by the enrollment agent to get a PKCS7 request (what i developed),
- when the user certificate is about to expire, he can create a PKCS10 request containing the same cert template, and sign it using his current certificate to get the PKCS7 request.
Is that correct ?
PS : i can't use the xenroll control as i explained in the previous thread...
----- Krish Shenoy[MSFT] wrote: -----
A renewal request is a request for a new certificate signed by the old
certificate. It may use the same key or create a new key. The certificate
must be current and valid (not revoked) for a renewal request to be
A renewal request submitted to an Enterprise CA may refer to a template that
allows the caller unconditional enroll access to the template, OR to a
template that allows the caller enroll access to the template only when the
request is signed by an old certificate with the same subject, that was
constructed from the same template.
In the latter case, a registration agent (a human) may be required to obtain
the initial certificate on behalf of the user after verifying the user's
identity in person, but auto-enroll can perform the renewal before the old
certificate expires, without any registration agent or admin involvement.
This is often how corporate smart cards are managed, for example.
You can use the RenewalCertificate property in the xenroll interface to
renew a certificate.
This posting is provided "AS IS" with no warranties, and confers no rights.
"Stephane Vinsot" <stephane (dot) vinsot (at) enatel (dot) com> wrote in
>> I managed to request and get some certificates that i put on my smartcard
using certificate services controls and APIs.
> What is the difference between certificate request and certificate renewal
> Should i perform the same operations just keeping the already generated
keys, or is there a simplified way of renewing ?
>> Thanks a lot