Using CA Certificate Renewal

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When a CA has issued and supports a large number of certificates, the quality of service and user satisfaction can decline. However, enrollment and renewal are relatively infrequent activities that can be anticipated and therefore planned for well in advance. Many organizations fail to plan for certificate renewal because this activity does not occur until some point well into the future.

When the certificate of a CA expires, the CA can no longer provide certificate services. To provide uninterrupted certificate services, use the Certificates console to renew the CA certificate before its expiration date. The interval that is required for CA renewal depends on the certificate lifetime of the CA.

After you renew a CA, the CA continues to issue certificates by using the new CA certificate, and the cycle starts over. Unexpired certificates that were issued by the pre-renewal CA continue to be trusted until they expire or are revoked.

You can use the standard enrollment and renewal methods that are available in Windows Server 2003 to renew your CAs and certificates. You can renew certificates with the same private key and public key set or with new private and public keys. However, if you have special needs, you can develop custom certificate enrollment and renewal applications for CAs.

Caution

  • Do not renew certificates with the same private and public key sets if the renewal period exceeds the maximum safe key lifetime. The safe key lifetime is based on your choice of key lengths. Longer keys allow for longer safe key lifetimes.

The Windows Server 2003 Certificate Services Entry module supports industry-standard certificate requests by using remote procedure call (RPC) requests or HTTP requests. You can develop custom applications that make certificate requests to Certificate Services CAs.