Re: Renew client certificate

From: Stephane Grobety (
Date: 03/01/04

Date: Mon, 01 Mar 2004 09:05:57 -0800

> If one of the users formats his computer and loses his certificate,
> how do I get him a new certificate?

Short answer: If you haven't done a backup of the key, you need to
re-issue a new certificate and key pair.

Long answer:
Certificates are made of 4 parts: The cert itself (details about who
owns the cert, what it can be used for, it's period of validity, etc.),
the public key linked to that certificate (used for verifying
signatures and establishing session keys) and a private key (used for
signing data and establishing session keys), and, finally, a digital
signature, done by the CA, to authentify all that data (it signs
everything but the private key).

Of all that data, only the key is really "private". everything else can
be retreived from any other places. This means that if all you need to
do is verify data signed with the "dead" cert, you can use any copy of
the public data (it's usually included with signed EMails, for
instance). But for signing data or establishing TLS session using
client certificate validation, you need to have the private key. You
can preventively backup this key using the certificate manager and save
it in a safe place but there is no known way if recovering a lost
private key short of brute force.

> Is the normal way to do this, to create a new certificate, or is
> there some way of reissueing their old certificate?

You can't re-issue a certificate. If you loose a certificate (for any
reason), you must first revoke the old certificate and then create a
new one with the same data but a different serial number, validity
date, etc.

Good luck,

Relevant Pages

  • Re: How to exchange certificate ?
    ... certificate store (I own ONLY a public key). ... >contained in a certificate store AND having an associated private key. ... you can test any cert for an associated private key using: ...
  • Re: A question about CryptAcquireCertificatePrivateKey
    ... Windows stores the CSP and private key associated with the certificate in the ... This is, of course, true only when WINDOWS stores the cert. ...
  • Re: IAS System Rights / IAS + Win2003 SP1
    ... and imported into IIS ADMIN. ... get cert from Verisign ... > these steps dont seem to attach the private key, ... > the private key for the certificate does not exist in the certificate ...
  • Re: How does WSE2 search for private key given X509 certificate?
    ... After I deleted the x509 certificate with private key from the cert store, ...
  • Re: SSL errors
    ... > Following the articles suggestions I bound a certificate ... > to the SMTP installation on this server from a MS CA we ... > private key information property attached to it. ... > the CA installed cert did not have that property page ...