Re: Renew client certificate
From: Stephane Grobety (grobety_at_fulgan.com)
Date: Mon, 01 Mar 2004 09:05:57 -0800
> If one of the users formats his computer and loses his certificate,
> how do I get him a new certificate?
Short answer: If you haven't done a backup of the key, you need to
re-issue a new certificate and key pair.
Certificates are made of 4 parts: The cert itself (details about who
owns the cert, what it can be used for, it's period of validity, etc.),
the public key linked to that certificate (used for verifying
signatures and establishing session keys) and a private key (used for
signing data and establishing session keys), and, finally, a digital
signature, done by the CA, to authentify all that data (it signs
everything but the private key).
Of all that data, only the key is really "private". everything else can
be retreived from any other places. This means that if all you need to
do is verify data signed with the "dead" cert, you can use any copy of
the public data (it's usually included with signed EMails, for
instance). But for signing data or establishing TLS session using
client certificate validation, you need to have the private key. You
can preventively backup this key using the certificate manager and save
it in a safe place but there is no known way if recovering a lost
private key short of brute force.
> Is the normal way to do this, to create a new certificate, or is
> there some way of reissueing their old certificate?
You can't re-issue a certificate. If you loose a certificate (for any
reason), you must first revoke the old certificate and then create a
new one with the same data but a different serial number, validity