~~NOTOC~~
====== 4. Certificate Management ======

<WRAP round info>
**Scenarios:** 4 \\
**FFI Functions:** ~30 \\
**Status:** ⏳ Planned
</WRAP>

This category covers all scenarios for managing the certificate lifecycle. Renewal, rekey, archival, and backup of certificates.

----

===== Scenarios =====

^  ID  ^  Scenario  ^  Description  ^  Complexity  ^  Status  ^
| [[.:renewal|4.1]] | Certificate Renewal | Extend expiring certificate | ⭐⭐⭐ | ⏳ |
| [[.:rekey|4.2]] | Key Renewal (Rekey) | New key pair, new certificate | ⭐⭐⭐ | ⏳ |
| [[.:archivierung|4.3]] | Certificate Archival | Securely store expired certificates | ⭐⭐ | ⏳ |
| [[.:backup|4.4]] | Backup and Recovery | Backup certificates and keys | ⭐⭐⭐ | ⏳ |

----

===== Lifecycle =====

<mermaid>
flowchart LR
    subgraph ACTIVE["🟢 Active"]
        NEW[Newly Issued]
        INUSE[In Use]
    end

    subgraph RENEWAL["🔄 Renewal"]
        RENEW[Renewal]
        REKEY[Rekey]
    end

    subgraph END["⏹️ End"]
        EXPIRE[Expired]
        REVOKE[Revoked]
        ARCHIVE[Archived]
    end

    NEW --> INUSE
    INUSE --> RENEW --> INUSE
    INUSE --> REKEY --> INUSE
    INUSE --> EXPIRE --> ARCHIVE
    INUSE --> REVOKE --> ARCHIVE

    style INUSE fill:#e8f5e9
    style REVOKE fill:#ffcdd2
</mermaid>

----

===== Renewal vs Rekey =====

^  Operation  ^  Key  ^  Serial  ^  Use Case  ^
| **Renewal** | Same | New | Key still secure, only extend validity |
| **Rekey** | New | New | Compromise suspected, algorithm change |

<WRAP round tip>
**Best Practice:** During PQ migration, always perform rekey to switch from classical to ML-DSA.
</WRAP>

----

===== Automation =====

^  Trigger  ^  Action  ^  Lead Time  ^
| 30 days before expiry | Warning email | - |
| 14 days before expiry | Start auto-renewal | - |
| 7 days before expiry | Escalation | - |
| Expiry | Deactivate certificate | - |

----

===== Quick Start Code =====

==== Renewal ====

<code csharp>
// Load existing certificate
var oldCert = ctx.LoadCertificate("server.crt.pem");
var privateKey = ctx.LoadPrivateKey("server.key.pem", password);

// Renewal: New certificate with same key
var csr = ctx.CreateCertificateRequest(privateKey, oldCert.Subject);
var newCert = ctx.IssueCertificate(csr, issuerCert, issuerKey, validDays: 365);

newCert.ToPemFile("server-renewed.crt.pem");
</code>

==== Rekey ====

<code csharp>
// Generate new key pair (e.g., migration to ML-DSA)
using var newKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);

// CSR with new key, same subject
var csr = ctx.CreateCertificateRequest(newKey, oldCert.Subject);
var newCert = ctx.IssueCertificate(csr, issuerCert, issuerKey, validDays: 365);

// Securely destroy old key
oldKey.Dispose();
</code>

----

===== Related Categories =====

^  Category  ^  Relationship  ^
| [[.:zertifikate:start|3. Issue Certificates]] | New certificate for rekey |
| [[.:widerruf:start|6. Revocation]] | Revoke old certificate after rekey |
| [[.:schluessel:start|11. Key Management]] | Key rotation |

----

<< [[en:int:pqcrypt:szenarien:zertifikate:start|← 3. Issue Certificates]] | [[en:int:pqcrypt:szenarien:start|↑ Scenarios]] | [[.:validierung:start|5. Validation →]] >>

----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//

{{tag>category management renewal rekey archival backup}}