Page 607 - StudyBook.pdf
P. 607

Public Key Infrastructure • Chapter 10  591

                 Renewal


                 Assuming your certificate makes it through the entire period of time it is valid
                 without the need for revocation, you will need to renew it.The good news is that,
                 just like at the DMV, you do not have to prove your identity again to get a new
                 certificate.As long as the certificate is in good standing, and you are renewing the
                 certificate with the same CA, you can use the old key to sign the request for the
                 renewed certificate.The reason behind this is that since the CA trusts you based on
                 your current credentials, there is no reason why they should not trust your request
                 for a renewed certificate.There is a second method of renewal, called key update,
                 where a new key is created by modifying the existing key.The key renewal process
                 that is used will depend on the user and most likely the requirements of the CA.
                    The renewal process is also true of a CA’s key pair. Eventually, a CA will need
                 to renew its own set of keys.Again, a CA can use its old key to sign the new key.
                 As discussed earlier, a root CA signs its own keys. Since end users (and subordinate
                 CAs) use the root CA’s keys to validate the responses from the CA, there must be a
                 procedure in place to notify end users that the CA’s key is up for renewal.The CA
                 renewal process is performed by creating three new certificates:
                      1. The CA creates another self-signed certificate.This time, the CA signs the
                         new public key using the old private key that is about to retire.This allows
                         for relying parties to trust the new key on the basis that it is signed by the
                         old key.
                      2. Next, the CA server signs the old public keys with the new private key.
                         This is done so that there is an overlap between when the new key comes
                         online and when the old key expires; users who trust the new key will
                         also trust certificates issued under the old key.

                      3. Finally, the new public key is signed with the new private key.This will be
                         the new key that will be used after the old key expires.

                    The reason for this process is two-fold. First, since a CA verifies the credentials
                 of other parties, there has to be a degree of difficulty to renewing the CA’s own
                 certificate. Second, creating all of these keys makes the changeover from old keys to
                 new keys transparent to the end user.











                                                                              www.syngress.com
   602   603   604   605   606   607   608   609   610   611   612