Difference between re-newing and re-creating a x509v3 public key certificate

  • 7011292
  • 01-Nov-2012
  • 01-Nov-2012


NetIQ Access Manager 3.2

Additional Information

Certificate renew:

means to take the old / original Certificate Signing Request (CSR) and pass it on
to the Certificate Authority (CA) in order to issue a new certificate using the exact same  RSA key pair which has been generated while processing the original CSR. This will extend the lifetime of the key pair lowering down the security (security lowers down as more often a key pair is getting used and as older it is getting). A "renewed" certificate will be a complete new certificate (serial number, validation timers, hash / signature ...)

Create a new Certificate:
will as well create a new key pair. You can use the exact same information as in the old / original Certificate signing request (like subject name...)  A server service using the certificate has to be restarted in both cases. If the root certificate chain did not change there is no difference for the consuming / client service as long as the root certificates are still the same. A root chain change can happen as well in both cases (renew and create new cert)

You need to check which root certificates will be used by the new / renewed certificate and make sure it getting copied to the required trusted root stores(s).