How to renew a certificate

By alkas

CAcert enables to renew an expired certificate, presuming it has not been revocated. Both private and public keys remain unchanged by the renewal process.

If you visit your CAcert account, you can display all the certificates issued, client and server ones.

Assume an example of server certificate renewal, what is more challenging. You will need:

The process in brief:

  1. You will renew a certificate in your CAcert account saving the renewed certificate into a file. Note that this certificate does not contain the private key; also, it has another serial number then the original (expired) certificate. (This fact makes impossible to use the MMC module Certificates.)
  2. Export the expired certificate with the private key from the computer, where the corresponding private key is stored.
  3. Use Firefox for the assembling (relation) the new certificate with the original private key. (This example uses computer other than the original server.)
  4. Export the resulting renewed certificate, including the private key, into the backup file.
  5. Import that file into the server, which will use it (e.g., a webserver).

A CAcert certificate renewal and saving it into a file

Login to your CAcert account. Select from the menu on the right side: Server certificates - View. The page appears containing the list of all your valid server certificates. Click the link "View all certificates" on the bottom of the list.

The list of certificates including revoked and expired ones

Select the expired certificate, you will be able to find the private key to, thus you know the computer, where the private key and the expired certificate is located. Press the button "Renew". After a while the page containing the renewed certificate appears. Select its contents:

The renewed certificate is issued

Copy the contents (Ctrl-C), run Notepad, and create a file with .CER extension.

Renewed certificate inserted to Notepad Renewed certificate saved to a file

Insert the certificate contents (Ctrl-V) and save the file. After opening the file you can see some properties of the renewed certificate:

The renewed certificate properties The renewed certificate properties

This is your renewed certificate, yet without the private key. Note the new validity period and the new serial number.

Export the expired certificate from the original computer (server)

Now export the expired certificate with the private key from the computer where it is located. Use the Certificates module of the MMC administrative tool. I recommend to export it into a file with such name determined, which contains the name of the original server and the serial number of the expired certificate. You will also need to export all extended properties of the certificate.

The expired certificate is located on system Windows 10. Use the administrative tool MMC with module Certificates, and find the expired certificate in the "personal" certificates of the local computer.

Check the certificate's serial number (here 0x105006) with the information in your CAcert account. It must be an expired certificate you have renewed.

The expired certificate - serial number

Exporting of the certificate is quite straightforward.

Exporting - start

You need to choose the PKCS#12 format (file suffix .PFX), an export with the private key.

Exporting - option PFX

Exported certificate should contain all extended properties.

Exporting - properties

Set the password and filename for export.

Exporting - private key password Exporting - filename of the output file

Completing the export process (summary and success message).

Exporting - summary and completion

Create the renewed certificate linked to the private key

Continue your task on a computer with Firefox browser installed; in this example it is a computer with Windows 10 platform.

Firefox - options Firefox - advanced options Firefox - certificates Firefox - certificate manager

Run Firefox and select Options from its settings, then Advanced, then Certificates. Select Import in the Certificate Manager window.

Import the expired certificate

Select the .PFX file you have exported, containing the expired certificate with the corresponding private key.

Import the expired certificate Import the expired certificate

Enter the password you have set twice at export. Continue and import the expired certificate.

Checking the expired certificate

The date displayed confirms that this certificate is expired. Now import the renewed certificate.

Import renewed certificate Import renewed certificate

Both the old (expired) and the new certificates are imported. Also the private key is imported; that key belongs to both certificates. Important is, that the renewed certificate has its corresponding private key, new serial number, and new interval of validity.

Check of the imported certificates

Export the renewed certificate to a file

Continue the task with export the renewed certificate with the corresponding private key, thus under Firefox terminology with "backup", where a PEM structured file will be created with .P12 extension.

Export/backup Export - setting the password

Again, a good password must be set. The export is completed after you press OK.

Export - completed

Install the renewed certificate and its private key on the target server

Proceed with installing the renewed certificate and the corresponding private key to the server where it will be used. It should be a Windows server 2012; for working in the English locale, a Windows 10 platform was chosen in this example. You will use the MMC administrative tool, the Certificates module.

Import the renewed certificate with the private key Entering filename of the .P12 file

Select import and choose the file you just have exported. (The transfer between computers can be easier via network in a Windows domain or home/work group. Otherwise, an USB disk can be used.)

Setting password and exportability

Enter the password you have set at export, and mark the key as exportable again.

Post-import check

After the renewed certificate and its private key is imported, you may check the following:

  1. The complete certificate path was imported (here: renewed server certificate and CAcert root certificate). This is no harm.
  2. The imported renewed server certificate has its private key and thus the server can use it. You can see it on its icon (key flag) and the sentence "You have a private key, ..." visible if you open the certificate.