Public key certificates have a limited lifespan. If a public key certificate has expired or is aboutto expire, it should be renewed or deleted. Renewing a public key certificatedoes not affect the key pair. It simply results in the creation of a new public key certificate with thesame public key. This new public key certificate can be signed either by the NDS* tree CA or by the same or different external CA.
A public key certificate should not be renewed if the public key size is toosmall for the desired security application or if you suspect that the private key has been compromised. Instead, the Key Material object for the service should be deleted and replaced by a new Key Material objectwith a new key pair. For liability reasons, some external CAs may prohibit therenewal of public key certificates without also renewing the key pair.
In addition, if the distinguished name or attributes of the subject change, there may be legal differences in the way a digital signature isviewed. For example, in a community property state, renewing a public keycertificate to include a woman's married name without changing the key pair could exposeher husband to liability for previously signed documents. Likewise, changingthe state or locality in a public key certificate might cause the legality of asignature to be evaluated against the laws of two different jurisdictions.
For these reasons, you should not renew a public key certificate withoutchanging the key pair.
Renew a Public Key Certificate Signed by the NDS Tree CA
1. Start NetWare* Administrator.
2. Double-click the Key Material object that contains the public key certificate you want to renew.
3. Click the Public Key Certificate page.
4. Click Renew.
You are prompted to indicate whether you want to renew the public keycertificate using the Tree CA or an external CA.
5. Choose the Tree CA option.
You are prompted to indicate whether you want to create a new public keycertificate using the Standard or Custom option.
6. Choose the Standard option.
7. Click Finish.
A dialog box informs you that this change will make irreversible changes tothe Key Material object and asks you if you want to continue.
8. Choose Yes.
The Public Key Certificate page displays the distinguished name of the subjectand issuer and the validity period of the new public key certificate.
For more information about the new public key certificate, click Details.
Renew a Public Key Certificate Signed by an External CA
1. Start NetWare Administrator.
2. Double-click the Key Material object that contains the public key certificate you want to renew.
3. Click the Public Key Certificate page.
4. Click Renew.
You are prompted to indicate whether you want to renew the public keycertificate using the Tree CA or an external CA.
5. Choose the External CA option.
You are prompted to indicate whether you already have the new public keycertificate from the external CA.
6. Choose No.
You are prompted to indicate whether you want to create a new public keycertificate using the Standard or Custom option.
7. Choose the Standard option.
8. Click Finish.
A dialog box informs you that this change will make irreversible changes tothe Key Material object and asks you if you want to continue.
9. Choose Yes.
A dialog box displays the certificate signing request (CSR).
10. Indicate whether you want the CSR saved to the clipboard by clicking theappropriate option. If you choose the File option, type in a filename or browse forthe file to save the CSR in.
11. Click Save.
12. Click OK.
The Public Key Certificate page displays the distinguished name of the subjectand issuer and the validity period of the previous public key certificate. This publickey certificate will remain in the Key Material object until the new public keycertificate is imported.
13. Submit the CSR to the CA.
14. When the public key certificate has been returned by the CA, obtain the CA'spublic key certificate.
15. Go to the same Key Material object and click the Trusted Root tab.
16. Click Replace.
A warning appears informing you that installing a new trusted root certificatewill delete the current public key certificate in the object.
17. Click OK.
A dialog box asks for the trusted root certificate.
18. Copy the CA's public key certificate into the clipboard and paste it into theedit box, or choose the File option and indicate the filename in which the CA'spublic key certificate was saved.
19. Click Add.
A dialog box informs you that this change will make irreversible changes tothe Key Material object and asks if you want to continue.
20. Click Yes
The Trusted Root page displays the distinguished name of the subject andissuer and the validity period of the CA's public key certificate.
21. Click the Public Key Certificate page.
22. Click Import.
23. Copy the new public key certificate into the clipboard and paste it intothe edit box, or choose the File option and indicate the filename in which thenew public key certificate was saved.
24. Click Add.
A dialog box informs you that this change will make irreversible changes tothe Key Material object and asks you if you want to continue.
25. Click Yes.
The Public Key Certificate page displays the distinguished name of the subjectand issuer and the validity period of the new public key certificate.
For more information about the new public key certificate, click Details.
Related Topics
Understanding Public Key Certificate Expiration