that contains the public key certificate you want to renew.Public key certificates have a limited lifespan. If a public key certificate has expired or is about to expire, it should be renewed or deleted. Renewing a public key certificate does not affect the key pair. It simply results in the creation of a new public key certificate with the same public key. This new public key certificate can be signed either by the NDS* tree CA or by the same or different external CA.
A public key certificate should not be renewed if the public key size is too small for the desired security application or if you suspect that the private key has been compromised. Instead, the Key Material object for the service should be deleted and replaced by a new Key Material object with a new key pair. For liability reasons, some external CAs may prohibit the renewal of public key certificates without also renewing the key pair.
In addition, if the distinguished name or attributes of the subject change, there may be legal differences in the way a digital signature is viewed. For example, in a community property state, renewing a public key certificate to include a woman's married name without changing the key pair could expose her husband to liability for previously signed documents. Likewise, changing the state or locality in a public key certificate might cause the legality of a signature to be evaluated against the laws of two different jurisdictions.
For these reasons, you should not renew a public key certificate without changing the key pair.
Renew a Public Key Certificate Signed by the NDS Tree CA
1. Start NetWare* Administrator.
2. Double-click the Key Material object that contains the public key certificate you want to renew.
3. Click the Public Key Certificate page.
4. Click Renew.
You are prompted to indicate whether you want to renew the public key certificate using the Tree CA or an external CA.
5. Choose the Tree CA option.
You are prompted to indicate whether you want to create a new public key certificate using the Standard or Custom option.
6. Choose the Standard option.
7. Click Finish.
A dialog box informs you that this change will make irreversible changes to the Key Material object and asks you if you want to continue.
8. Choose Yes.
The Public Key Certificate page displays the distinguished name of the subject and issuer and the validity period of the new public key certificate.
For more information about the new public key certificate, click Details.
Renew a Public Key Certificate Signed by an External CA
1. Start NetWare Administrator.
2. Double-click the Key Material object that contains the public key certificate you want to renew.
3. Click the Public Key Certificate page.
4. Click Renew.
You are prompted to indicate whether you want to renew the public key certificate using the Tree CA or an external CA.
5. Choose the External CA option.
You are prompted to indicate whether you already have the new public key certificate from the external CA.
6. Choose No.
You are prompted to indicate whether you want to create a new public key certificate using the Standard or Custom option.
7. Choose the Standard option.
8. Click Finish.
A dialog box informs you that this change will make irreversible changes to the Key Material object and asks you if you want to continue.
9. Choose Yes.
A dialog box displays the certificate signing request (CSR).
10. Indicate whether you want the CSR saved to the clipboard by clicking the appropriate option. If you choose the File option, type in a filename or browse for the file to save the CSR in.
11. Click Save.
12. Click OK.
The Public Key Certificate page displays the distinguished name of the subject and issuer and the validity period of the previous public key certificate. This public key certificate will remain in the Key Material object until the new public key certificate is imported.
13. Submit the CSR to the CA.
14. When the public key certificate has been returned by the CA, obtain the CA's public key certificate.
15. Go to the same Key Material object and click the Trusted Root tab.
16. Click Replace.
A warning appears informing you that installing a new trusted root certificate will delete the current public key certificate in the object.
17. Click OK.
A dialog box asks for the trusted root certificate.
18. Copy the CA's public key certificate into the clipboard and paste it into the edit box, or choose the File option and indicate the filename in which the CA's public key certificate was saved.
19. Click Add.
A dialog box informs you that this change will make irreversible changes to the Key Material object and asks if you want to continue.
20. Click Yes
The Trusted Root page displays the distinguished name of the subject and issuer and the validity period of the CA's public key certificate.
21. Click the Public Key Certificate page.
22. Click Import.
23. Copy the new public key certificate into the clipboard and paste it into the edit box, or choose the File option and indicate the filename in which the new public key certificate was saved.
24. Click Add.
A dialog box informs you that this change will make irreversible changes to the Key Material object and asks you if you want to continue.
25. Click Yes.
The Public Key Certificate page displays the distinguished name of the subject and issuer and the validity period of the new public key certificate.
For more information about the new public key certificate, click Details.
Related Topics
Understanding Public Key Certificate Expiration