Scenario 4.2: Rekey (New Key)

Category: Certificate Management
Complexity: ⭐⭐⭐⭐ (High)
Prerequisites: Existing certificate
Estimated Time: 20-30 Minutes

Description

This scenario describes Rekey - issuing a new certificate with a new key pair. Rekey is necessary for suspected compromise, algorithm upgrades, or key strength increases.

When Rekey is Required:

Suspected key compromise
Migration from RSA to ML-DSA (Post-Quantum)
Increasing key length
Routine rotation (security policy)
Maximum key lifecycle expiration

Workflow

flowchart LR OLD[Old Certificate] --> GEN[New Key Pair] GEN --> CSR[New CSR] CSR --> ISSUE[New Certificate] ISSUE --> DEPLOY[Deployment] DEPLOY --> REVOKE[Revoke Old] GEN --> BACKUP[Key Backup] style GEN fill:#fff3e0 style ISSUE fill:#e8f5e9

Code Example (C#)

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
 
using var ctx = PqCryptoContext.Initialize();
 
// Load old certificate (for Subject/SANs)
var oldCert = ctx.LoadCertificate("server.crt.pem");
 
// Load CA
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");
 
// Generate NEW key pair (PQ upgrade!)
using var newKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
 
// Copy Subject and SANs from old certificate
var oldSans = ctx.GetSubjectAlternativeNames(oldCert);
 
// New CSR with new key
var csr = ctx.CreateCertificateRequest(
    newKey,
    oldCert.SubjectName,  // Preserve subject
    new ExtBuilder()
        .SubjectAlternativeName(oldSans)  // Preserve SANs
        .Build()
);
 
// Issue new certificate
var newCert = ctx.IssueCertificate(
    csr,
    issuerCert: caCert,
    issuerKey: caKey,
    serialNumber: ctx.GenerateSerialNumber(),
    validDays: 365,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: false, critical: true)
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        .SubjectKeyIdentifier(newKey.PublicKey)  // NEW SKI!
        .AuthorityKeyIdentifier(caCert)
        .CrlDistributionPoint("http://crl.example.com/intermediate.crl")
        .Build()
);
 
// Save
newCert.ToPemFile("server-rekeyed.crt.pem");
newKey.ToEncryptedPemFile("server-rekeyed.key.pem", "NewKeyPassword!");
 
Console.WriteLine("Rekey completed:");
Console.WriteLine($"  Old Algorithm: {oldCert.PublicKey.Oid.FriendlyName}");
Console.WriteLine($"  New Algorithm: ML-DSA-65");
Console.WriteLine($"  Old SKI: {oldCert.GetSubjectKeyIdentifier()}");
Console.WriteLine($"  New SKI: {newCert.GetSubjectKeyIdentifier()}");

PQ Migration: RSA to ML-DSA

For migration from classical to Post-Quantum algorithms:

// Hybrid Rekey: RSA + ML-DSA in parallel
public class HybridRekey
{
    public static (X509Certificate2 classical, X509Certificate2 pq) PerformHybridRekey(
        X509Certificate2 oldRsaCert,
        PqCryptoContext ctx,
        X509Certificate2 caCert,
        AsymmetricAlgorithm caKey)
    {
        // 1. Renew RSA key (transition phase)
        using var newRsaKey = RSA.Create(4096);
        var rsaCsr = ctx.CreateCertificateRequest(newRsaKey, oldRsaCert.SubjectName);
        var rsaCert = ctx.IssueCertificate(rsaCsr, caCert, caKey, validDays: 365);
 
        // 2. Create ML-DSA key (future)
        using var mlDsaKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
        var pqCsr = ctx.CreateCertificateRequest(mlDsaKey, oldRsaCert.SubjectName);
        var pqCert = ctx.IssueCertificate(pqCsr, caCert, caKey, validDays: 365);
 
        return (rsaCert, pqCert);
    }
}

Industry-Specific Rekey Requirements

Industry	Maximum Key Lifetime	Rekey Trigger	Special Feature
Financial Sector	2 years	HSM policy	FIPS 140-3 compliance
Healthcare	3 years	Audit finding	DiGAV conformity
Energy/SCADA	5 years	Maintenance window	Offline capability
Automotive	Vehicle lifetime	Security update	OTA mechanism

Rekey Checklist

Before Rekey:

[ ] Backup old key (if still needed)
[ ] Identify all systems using the certificate
[ ] Create deployment plan
[ ] Prepare rollback plan
[ ] Communicate maintenance window

After Rekey:

[ ] Deploy new certificate on all systems
[ ] Test connections
[ ] Revoke old certificate
[ ] Securely destroy old key
[ ] Update documentation

Related Scenarios

Relationship	Scenario	Description
Alternative	4.1 Renewal	Same key
Next Step	6.4 Revoke	Old certificate
Prerequisite	11.1 Key Generation	New key
Related	11.5 Key Destruction	Delete old key

« ← 4.1 Renewal | ↑ Management Overview | 4.3 Archival → »

scenario, management, rekey, key, migration, pq

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional