Share via


Renew a Certificate with a New Key

Applies To: Windows Server 2008

Renewing a certificate with a new key allows you to continue using an existing certificate and its associated data, while enhancing the strength of the key associated with the certificate. This can be desirable if using a new certificate would cause disruption and the existing certificate has not been compromised.

Users or local Administrators are the minimum group memberships required to complete this procedure. Review the details in "Additional considerations" in this topic.

To renew a certificate with a new key

  1. Open the Certificates snap-in for a user, computer, or service.

  2. Confirm that you are in Logical Stores View.

  3. In the console tree, expand the Personal store, and then click Certificates.

  4. In the details pane, click the certificate you are renewing.

  5. On the Action menu, point to All Tasks, and then click Renew Certificate with New Key to open the Certificate Renewal Wizard.

  6. In the Certificate Renewal Wizard, do one of the following:

    • Use the default values to renew the certificate.

    • (For advanced users only) Click Details and then Properties to provide your own certificate renewal settings. You need to know the cryptographic service provider (CSP) and the certification authority (CA) issuing the certificate.

      You need to select the key length (measured in bits) of the public key associated with the certificate

      You can also choose to enable strong private key protection. Enabling strong private key protection ensures that you are prompted for a password every time the private key is used. This is useful if you want to make sure that the private key is not used without your knowledge.

  7. When you are ready to request a certificate, click Enroll. After the Certificate Renewal Wizard has successfully finished, click Close.

Additional considerations

  • User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.

  • To open the Certificates snap-in, see Add the Certificates Snap-in to an MMC

  • Once renewed, the old certificate and key pair will be archived.

  • You can use this procedure to request certificates from an enterprise CA only. To request certificates from a stand-alone CA, you need to request certificates by means of Web pages. A Windows CA has its Web pages located at https://servername/Certsrv, where servername is the name of the server that hosts the CA.