Skip to main content
Skip table of contents

Self-Renewal of Soft Client Certificates

It is possible for a holder of a client certificate to renew it themselves via a self-service process in the RA UI. Self-renewal works with PKCS#12 keystores files only (i.e. soft tokens).

Note that the self-renewal uses the latest settings in the end-entity to issue the new client certificate, even if those settings have changed since the last client certificate was issued.

Steps to Renew

Authorizing Renewal

Either of the following conditions must hold true, for self-renewal to be allowed:

  • The end-entity must have status NEW, or

  • The end-entity profile must have the “Allow Renewal Before Expiration” option enabled. See the End Entity Profiles Fields page.

Additionally, there are some sanity checks on the profile, see the “Profile Requirements” section.

Also, the user must be authorized to use the RA UI. The user can be an ordinary administrator, or it can be granted access via a role membership with “PublicAccessAuthenticationToken”.

Self-Service Process

The user needs to perform the following steps:

  1. Go to the RA UI and authenticate using the TLS client certificate (i.e. it must be imported into the browser).

  2. Go the to “Renew Client Certificate” page. If the user is an RA Administrator, it will show under the “Logged in as” menu.

  3. The Subject DN and expiration date of the current certificate will be displayed. Note that the end entity in EJBCA will override this Subject DN value, if it has been changed after the certificate was issued. Press “Confirm”.

  4. Enter the desired password. The password will be used for encrypting the PKCS#12 keystore file.

  5. Press the “Renew PKCS#12” button. A new PKCS#12 file will be generated by the CA, and downloaded.

Profile Requirements

The following requirements must be satisfied by the certificate profile:

  • Must be of type “End Entity”

  • Must have Key Usage “Digital Signature”. May have key usages “Non-Repudation” or “Key Encipherment”. Other Key Usages are not allowed. (Despite the name, “Digital Signature” is used for authentication certificates too, it is not specific to signing certificates.)

  • Must have Extended Key Usage “Client Authentication“. Other Extended Key Usages are allowed.

The following requirements must be satisfied by the end-entity profile:

  • The “Available Token” list must include PKCS12.

Additionally, any attributes in the end entity must conform to the profiles. The attributes of the old certificate will be ignored.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close