Renewing a certificate with a new key allows you to continue using an existing certificate and its associated data, while enhancing the strength of the key associated with the certificate. This can be desirable if using a new certificate would cause disruption and the existing certificate has not been compromised.
Users or local Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.
|To renew a certificate with a new key|
Open the Certificates snap-in for a user, computer, or service.
In the console tree, expand the Personal store, and then click Certificates.
In the details pane, select the certificate that you are renewing.
On the Action menu, point to All Tasks, and then click Renew Certificate with New Key to open the Certificate Renewal Wizard.
In the Certificate Renewal Wizard, do one of the following:
- Use the default values to renew the
- (For advanced users only) Click
Details, and then click Properties to provide your
own certificate renewal settings. You need to know the
cryptographic service provider (CSP) and the certification
authority (CA) issuing the certificate.
You need to select the key length (measured in bits) of the public key associated with the certificate.
You can also choose to enable strong private key protection. Enabling strong private key protection ensures that you are prompted for a password every time the private key is used. This is useful if you want to ensure that the private key is not used without your knowledge.
- Use the default values to renew the certificate.
When you are ready to request a certificate, click Enroll. After the Certificate Renewal Wizard has successfully finished, click Close.
- User certificates can be managed by the user
or by an administrator. Certificates issued to a computer or
service can only be managed by an administrator or user who has
been given the appropriate permissions.
- To open the Certificates snap-in, see
Certificates Snap-in to an MMC.
- Once renewed, the old certificate and key
pair will be archived.
- You can use this procedure to request
certificates from an enterprise CA only. To request certificates
from a stand-alone CA, you need to request certificates by using
Web pages. The Web pages for a Windows-based CA are located at
http://servername/Certsrv, where servername is the
name of the server that hosts the CA.