~~NOTOC~~
====== Scenario 4.2: Rekey (New Key) ======

<WRAP round info>
**Category:** [[.:start|Certificate Management]] \\
**Complexity:** ⭐⭐⭐⭐ (High) \\
**Prerequisites:** Existing certificate \\
**Estimated Time:** 20-30 Minutes
</WRAP>

----

===== Description =====

This scenario describes **Rekey** - issuing a new certificate with a **new key pair**. Rekey is necessary for suspected compromise, algorithm upgrades, or key strength increases.

**When Rekey is Required:**
  * Suspected key compromise
  * Migration from RSA to ML-DSA (Post-Quantum)
  * Increasing key length
  * Routine rotation (security policy)
  * Maximum key lifecycle expiration

----

===== Workflow =====

<mermaid>
flowchart LR
    OLD[Old Certificate] --> GEN[New Key Pair]
    GEN --> CSR[New CSR]
    CSR --> ISSUE[New Certificate]
    ISSUE --> DEPLOY[Deployment]
    DEPLOY --> REVOKE[Revoke Old]
    GEN --> BACKUP[Key Backup]

    style GEN fill:#fff3e0
    style ISSUE fill:#e8f5e9
</mermaid>

----

===== Code Example (C#) =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

using var ctx = PqCryptoContext.Initialize();

// Load old certificate (for Subject/SANs)
var oldCert = ctx.LoadCertificate("server.crt.pem");

// Load CA
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");

// Generate NEW key pair (PQ upgrade!)
using var newKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);

// Copy Subject and SANs from old certificate
var oldSans = ctx.GetSubjectAlternativeNames(oldCert);

// New CSR with new key
var csr = ctx.CreateCertificateRequest(
    newKey,
    oldCert.SubjectName,  // Preserve subject
    new ExtBuilder()
        .SubjectAlternativeName(oldSans)  // Preserve SANs
        .Build()
);

// Issue new certificate
var newCert = ctx.IssueCertificate(
    csr,
    issuerCert: caCert,
    issuerKey: caKey,
    serialNumber: ctx.GenerateSerialNumber(),
    validDays: 365,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: false, critical: true)
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        .SubjectKeyIdentifier(newKey.PublicKey)  // NEW SKI!
        .AuthorityKeyIdentifier(caCert)
        .CrlDistributionPoint("http://crl.example.com/intermediate.crl")
        .Build()
);

// Save
newCert.ToPemFile("server-rekeyed.crt.pem");
newKey.ToEncryptedPemFile("server-rekeyed.key.pem", "NewKeyPassword!");

Console.WriteLine("Rekey completed:");
Console.WriteLine($"  Old Algorithm: {oldCert.PublicKey.Oid.FriendlyName}");
Console.WriteLine($"  New Algorithm: ML-DSA-65");
Console.WriteLine($"  Old SKI: {oldCert.GetSubjectKeyIdentifier()}");
Console.WriteLine($"  New SKI: {newCert.GetSubjectKeyIdentifier()}");
</code>

----

===== PQ Migration: RSA to ML-DSA =====

For migration from classical to Post-Quantum algorithms:

<code csharp>
// Hybrid Rekey: RSA + ML-DSA in parallel
public class HybridRekey
{
    public static (X509Certificate2 classical, X509Certificate2 pq) PerformHybridRekey(
        X509Certificate2 oldRsaCert,
        PqCryptoContext ctx,
        X509Certificate2 caCert,
        AsymmetricAlgorithm caKey)
    {
        // 1. Renew RSA key (transition phase)
        using var newRsaKey = RSA.Create(4096);
        var rsaCsr = ctx.CreateCertificateRequest(newRsaKey, oldRsaCert.SubjectName);
        var rsaCert = ctx.IssueCertificate(rsaCsr, caCert, caKey, validDays: 365);

        // 2. Create ML-DSA key (future)
        using var mlDsaKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
        var pqCsr = ctx.CreateCertificateRequest(mlDsaKey, oldRsaCert.SubjectName);
        var pqCert = ctx.IssueCertificate(pqCsr, caCert, caKey, validDays: 365);

        return (rsaCert, pqCert);
    }
}
</code>

----

===== Industry-Specific Rekey Requirements =====

^  Industry  ^  Maximum Key Lifetime  ^  Rekey Trigger  ^  Special Feature  ^
| **Financial Sector** | 2 years | HSM policy | FIPS 140-3 compliance |
| **Healthcare** | 3 years | Audit finding | DiGAV conformity |
| **Energy/SCADA** | 5 years | Maintenance window | Offline capability |
| **Automotive** | Vehicle lifetime | Security update | OTA mechanism |

----

===== Rekey Checklist =====

<WRAP round important>
**Before Rekey:**
  - [ ] Backup old key (if still needed)
  - [ ] Identify all systems using the certificate
  - [ ] Create deployment plan
  - [ ] Prepare rollback plan
  - [ ] Communicate maintenance window
</WRAP>

<WRAP round tip>
**After Rekey:**
  - [ ] Deploy new certificate on all systems
  - [ ] Test connections
  - [ ] Revoke old certificate
  - [ ] Securely destroy old key
  - [ ] Update documentation
</WRAP>

----

===== Related Scenarios =====

^  Relationship  ^  Scenario  ^  Description  ^
| **Alternative** | [[.:renewal|4.1 Renewal]] | Same key |
| **Next Step** | [[en:int:pqcrypt:szenarien:widerruf:zertifikat_widerrufen|6.4 Revoke]] | Old certificate |
| **Prerequisite** | [[en:int:pqcrypt:szenarien:schluessel:generierung|11.1 Key Generation]] | New key |
| **Related** | [[en:int:pqcrypt:szenarien:schluessel:vernichtung|11.5 Key Destruction]] | Delete old key |

----

<< [[.:renewal|← 4.1 Renewal]] | [[.:start|↑ Management Overview]] | [[.:archivierung|4.3 Archival →]] >>

{{tag>scenario management rekey key migration pq}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//