Renewing a certificate with a new key allows you to continue using an existing certificate and its associated data, while enhancing the strength of the key associated with the certificate. This can be desirable if using a new certificate would cause disruption and the existing certificate has not been compromised.

Users or local Administrators is the minimum group membership required to complete this procedure. Review the details in "Additional considerations" in this topic.

To renew a certificate with a new key
  1. Open the Certificates snap-in for a user, computer, or service.

  2. In the console tree, expand the Personal store, and then click Certificates.

  3. In the details pane, select the certificate that you are renewing.

  4. On the Action menu, point to All Tasks, and then click Renew Certificate with New Key to open the Certificate Renewal Wizard.

  5. In the Certificate Renewal Wizard, do one of the following:

    • Use the default values to renew the certificate.

    • (For advanced users only) Click Details, and then click Properties to provide your own certificate renewal settings. You need to know the cryptographic service provider (CSP) and the certification authority (CA) issuing the certificate.

      You need to select the key length (measured in bits) of the public key associated with the certificate.

      You can also choose to enable strong private key protection. Enabling strong private key protection ensures that you are prompted for a password every time the private key is used. This is useful if you want to ensure that the private key is not used without your knowledge.

  6. When you are ready to request a certificate, click Enroll. After the Certificate Renewal Wizard has successfully finished, click Close.

Additional considerations

  • User certificates can be managed by the user or by an administrator. Certificates issued to a computer or service can only be managed by an administrator or user who has been given the appropriate permissions.

  • To open the Certificates snap-in, see Add the Certificates Snap-in to an MMC.

  • Once renewed, the old certificate and key pair will be archived.

  • You can use this procedure to request certificates from an enterprise CA only. To request certificates from a stand-alone CA, you need to request certificates by using Web pages. The Web pages for a Windows-based CA are located at http://servername/Certsrv, where servername is the name of the server that hosts the CA.


Table Of Contents