~~NOTOC~~
====== Scenario 4.1: Certificate Renewal ======

<WRAP round info>
**Category:** [[.:start|Certificate Management]] \\
**Complexity:** ⭐⭐⭐ (Medium) \\
**Prerequisites:** Existing certificate, same key \\
**Estimated Time:** 10-15 Minutes
</WRAP>

----

===== Description =====

This scenario describes the **renewal of an expiring certificate** while retaining the existing key pair. Renewal is appropriate when the key has not been compromised and the key strength is still sufficient.

**Renewal vs. Rekey:**
^ Aspect ^ Renewal ^ Rekey ^
| Key Pair | Same | New |
| CSR | Optionally new | Required new |
| Subject | Can be adjusted | Can be adjusted |
| Reason | Expiry | Compromise, upgrade |

----

===== Workflow =====

<mermaid>
flowchart LR
    LOAD[Load Old Certificate] --> CHECK[Check Expiry]
    CHECK --> CSR[CSR with Same Key]
    CSR --> ISSUE[New Certificate]
    ISSUE --> DEPLOY[Deployment]
    DEPLOY --> REVOKE[Revoke Old]

    style ISSUE fill:#e8f5e9
</mermaid>

----

===== Code Example (C#) =====

<code csharp>
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;

using var ctx = PqCryptoContext.Initialize();

// Load existing certificate and key
var oldCert = ctx.LoadCertificate("server.crt.pem");
var existingKey = ctx.LoadPrivateKey("server.key.pem", "KeyPassword!");

// Load CA
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");

// Check if renewal makes sense
var daysUntilExpiry = (oldCert.NotAfter - DateTime.UtcNow).Days;
if (daysUntilExpiry > 90)
{
    Console.WriteLine($"Certificate still valid for {daysUntilExpiry} days.");
}

// Create CSR with existing key
var csr = ctx.CreateCertificateRequest(
    existingKey,
    oldCert.SubjectName,  // Preserve subject
    ctx.GetExtensions(oldCert)  // Preserve extensions
);

// Issue new certificate
var newCert = ctx.IssueCertificate(
    csr,
    issuerCert: caCert,
    issuerKey: caKey,
    serialNumber: ctx.GenerateSerialNumber(),  // New serial!
    validFrom: DateTime.UtcNow.AddDays(-1),    // Overlap
    validDays: 365,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: false, critical: true)
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        .SubjectKeyIdentifier(existingKey.PublicKey)  // Same SKI!
        .AuthorityKeyIdentifier(caCert)
        .CrlDistributionPoint("http://crl.example.com/intermediate.crl")
        .Build()
);

// Save
newCert.ToPemFile("server-renewed.crt.pem");

Console.WriteLine("Certificate renewed:");
Console.WriteLine($"  Old Serial: {oldCert.SerialNumber}");
Console.WriteLine($"  New Serial: {newCert.SerialNumber}");
Console.WriteLine($"  New Expiry Date: {newCert.NotAfter:yyyy-MM-dd}");
</code>

----

===== Automatic Renewal Check =====

<code csharp>
// Check all certificates in store
public IEnumerable<X509Certificate2> GetExpiringCertificates(
    X509Store store,
    int warningDays = 30)
{
    store.Open(OpenFlags.ReadOnly);
    try
    {
        return store.Certificates
            .Where(c => c.NotAfter <= DateTime.UtcNow.AddDays(warningDays))
            .Where(c => c.NotAfter > DateTime.UtcNow)  // Not yet expired
            .OrderBy(c => c.NotAfter)
            .ToList();
    }
    finally
    {
        store.Close();
    }
}

// Usage
using var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
var expiring = GetExpiringCertificates(store, warningDays: 30);

foreach (var cert in expiring)
{
    Console.WriteLine($"WARNING: {cert.Subject} expires on {cert.NotAfter:d}");
}
</code>

----

===== Industry-Specific Renewal Cycles =====

^  Industry  ^  Typical Cycle  ^  Renewal Lead Time  ^  Special Feature  ^
| **Standard IT** | 1 year | 30 days | Automation recommended |
| **Energy/SCADA** | 3-5 years | 90 days | Observe maintenance windows |
| **Healthcare** | 1-2 years | 60 days | Audit trail required |
| **Automotive** | 2-3 years | 180 days | OTA update planning |

----

===== Best Practices =====

<WRAP round tip>
**Renewal Recommendations:**
  * Plan overlap time (old certificate valid 1-7 days after renewal)
  * Implement automatic monitoring
  * Revoke old certificate only after successful deployment
  * Subject Key Identifier remains the same (facilitates tracking)
</WRAP>

<WRAP round important>
**When NOT to renew:**
  * Key possibly compromised → [[.:rekey|Rekey]]
  * Algorithm upgrade needed (RSA → ML-DSA) → [[.:rekey|Rekey]]
  * Key length too short → [[.:rekey|Rekey]]
</WRAP>

----

===== Related Scenarios =====

^  Relationship  ^  Scenario  ^  Description  ^
| **Alternative** | [[.:rekey|4.2 Rekey]] | New key |
| **Next Step** | [[en:int:pqcrypt:szenarien:widerruf:zertifikat_widerrufen|6.4 Revoke]] | Old certificate |
| **Related** | [[.:backup|4.4 Backup]] | Backup before renewal |

----

<< [[.:start|← Management Overview]] | [[en:int:pqcrypt:szenarien:start|↑ Scenarios]] | [[.:rekey|4.2 Rekey →]] >>

{{tag>scenario management renewal certificate}}

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//