The REKEY/ROLLOVER subcommands can be used to extend the expiration date of a certificate however that is not the intended use of these subcommands. The REKEY subcommand is intended to be used to generate a new public/private key pair for an existing certificate. There are other procedures that are recommended for renewing certificates that are about to expire.
Certificates that are expired or about to be expired can be renewed with a new expiration date. There are different procedures that can be followed to replace an expiring or expired digital certificate. To renew a certificate, either a new certificate with a new public/private key pair can be generated or the expiring certificate can be replaced/renewed with the same public/private key pair with a new expiration date.
There are different procedures that can be followed to replace an expiring or expired digital certificate depending on whether the certificate signed by a local CA (Certificate Authority) or third party CA (Certificate Authority). These procedures would replace the existing certificate with a new expiration date retaining the public/private key pair of the certificate. Two example procedures for renewing certificates are available in the following knowledge documents.
ID: TEC448063 How can an expiring or expired user digital certificate signed by a third party CA (Certificate Authority) be renewed?
ID: TEC448065 How can an expiring or expired user digital certificate signed by a local CA (Certificate Authority) be renewed?
Because the REKEY/ROLLOVER subcommands create a new certificate from an existing certificate with a new public/private key pair, sites should be cautious because of the following.
- All certificates that were signed by the CERTAUTH or SITECERT renewed certificate will no longer be valid and will need to be re-signed.
- Data that was encrypted by the certificate prior to the renewal cannot be decrypted by the renewed certificate.
Details on ACF2 Digital Certificates ACF Subcommands including RENEW, REKEY and ROLLOVER can be found in the CA-ACF2 documentation in section "Process Digital Certificates with CA ACF2".