About Renewal; Dual-Key Pairs - Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual

Dual-Key Pairs

About Renewal

When an end entity requests a certificate renewal, the end entity presents its
current certificate. The certificate itself is used to authenticate the user. The process
for renewal is automatic; if the certificate is presented a new certificate is issued.
There is no agent intervention in this process. You cannot customize the renewal
process.
In order to renew, the following must be true:
• The certificate being renewed was issued by the Certificate Manager to which
the request is being made. If the request is being made to a Registration
Manager, the Certificate Manager that processes the requests for this
Registration Manager must be the same Certificate Manager that issued the
original certificate.
• The certificate being presented by the end user for renewal must be currently
valid or must have expired; it cannot have been revoked.
• The validity period of a renewed certificate is determined by the policy rule
RenewalValidityConstraints
501. If the renewal lead time does not permit renewing, the server rejects the
renewal request. Also, if the policy is disabled, renewal of certificates fails.
• If the certificate being presented by the end user has already been renewed, the
server displays the URL for downloading the certificate.
This situation may occur if the end user forgets to download the renewed
certificate. It can also happen if the end user maintains two identical certificate
databases on two machines, renews the certificate from one machine, and then
tries to renew the same certificate from the other machine.
You can set up the
the end entity at preconfigured intervals before the expiration of their current
certificate. See Chapter 13, "Automated Jobs" for details.
Dual-Key Pairs
Dual key pairs are a set of two private and public keys where one set is used for
signing and one for encryption. CMS supports dual key-pairs allowing you to
create them during enrollment, and allowing you to create two certificates, one for
the signing key, and one for the encryption key. The dual key-pairs feature is only
supported in CMS when using Netscape 7, or older versions of Netscape that work
with Personal Security Manager.
386 Netscape Certificate Management System Administrator's Guide • February 2003
, see "RenewalValidityConstraints," on page
RenewalNotification
job which sends email notifications to