Every certificate has a validity period. After the end of the validity period, the certificate is no longer considered an acceptable or usable credential. The Certificates snap-in enables you to renew a certificate issued from a Windows enterprise certification authority (CA) before or after the end of its validity period by using the Certificate Renewal Wizard.

You can either renew the certificate with the same key set that you used before, or you can renew a certificate with a new key set. This decision can be based on a number of factors, including the lifetime of the certificate, the length of the existing or future key, the value of the data protected by the key pair, and the possibility that a private key has been obtained by a malicious user.

Before you renew a certificate, you need to know:

  • The issuing CA.

  • (Optional) If you want a new public key and private key pair for the certificate, the cryptographic service provider (CSP) that should be used to generate the key pair.

Windows provides an expiration notification to let you know that specific user or computer certificates have expired or are about to expire. In most cases, autoenrollment will automatically renew these certificates the next time you are connected to the network and log on to the computer.

The following topics contain procedures to use for renewing certificates:

In addition, you can renew certificates issued from both Windows enterprise CAs and Windows stand-alone CAs with the CA Web enrollment pages by pasting the contents of a PKCS #7 file. For more information, see the following topic:

Additional considerations

  • User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can be managed only by an administrator or a user who has been given the appropriate permissions.