Oh and by the way, there are different rules for private keys held on hardware tokens. The Classic Authentication profile (V4.3) from IGTF says: "A certificate whose private key is managed in a software-based token should only be re-keyed, not renewed. Certificates associated with a private key restricted solely to a hardware token may be renewed for a period of up to 5 years (for equivalent RSA key lengths of 2048 bits) or 3 years (for equivalent RSA key lengths of 1024 bits). Certifications must not be renewed or re-keyed for more than 5 years without a form of auditable identity and eligibility verification, and this procedure must be described in the CP/CPS." So, if anyone has host certificates on hardware tokens (perhaps there are none?), in this case it will be necessary to re-key. I imagine the certificate wizard does not cater for hardware tokens (I haven't checked). Regards Dave ------------------------------------------------ Dr David Kelsey Particle Physics Department Rutherford Appleton Laboratory Chilton, DIDCOT, OX11 0QX, UK e-mail: [log in to unmask] Tel: [+44](0)1235 445746 (direct) Fax: [+44](0)1235 446733 ------------------------------------------------ On 09/04/2014 12:12, "John Kewley" <[log in to unmask]> wrote: >> -----Original Message----- >> From: Dave Kelsey [mailto:[log in to unmask]] >> Sent: Wednesday, April 09, 2014 11:12 AM >> To: [log in to unmask] >> Subject: Re: I'll test this out: >>https://www.gridpp.ac.uk/wiki/Grid_Certificate >> >> On the meaning of the word "renewal". >> >> According to RFC3647 renewal is defined as follows: >> >> "Certificate renewal means the issuance of a >> new certificate to the subscriber without changing the subscriber or >> other participant's public key or any other information in the >> Certificate." >> >> I should add that renewal does change the valid to/from dates and the >>serial >> number. > >As I understood it a Renew MUST change the serial number, but doesn't >need to change >the dates. For instance - re-signing with a different CA Cert, or with a >different hash algorithm. >Is this correct or would it need to rekey for that? > >> When the UK vert wizard says "renew" its should really say "rekey". > >Agreed - "careless talk costs lives" and "we" are often carelessly use >the words Renew when we mean Rekey > >Having said that *most* of the time, *most* of our users don't need to >worry about the distinction so it >keeps things simpler in general (but not in this case) > >Cheers > >JK >-- >Scanned by iCritical. -- Scanned by iCritical.