4. Certificate Management

Scenarios: 4
FFI Functions: ~30
Status: ⏳ Planned

This category covers all scenarios for managing the certificate lifecycle. Renewal, rekey, archival, and backup of certificates.

Scenarios

ID Scenario Description Complexity Status
4.1 Certificate Renewal Extend expiring certificate ⭐⭐⭐
4.2 Key Renewal (Rekey) New key pair, new certificate ⭐⭐⭐
4.3 Certificate Archival Securely store expired certificates ⭐⭐
4.4 Backup and Recovery Backup certificates and keys ⭐⭐⭐

Lifecycle

flowchart LR subgraph ACTIVE["🟢 Active"] NEW[Newly Issued] INUSE[In Use] end subgraph RENEWAL["🔄 Renewal"] RENEW[Renewal] REKEY[Rekey] end subgraph END["⏹️ End"] EXPIRE[Expired] REVOKE[Revoked] ARCHIVE[Archived] end NEW --> INUSE INUSE --> RENEW --> INUSE INUSE --> REKEY --> INUSE INUSE --> EXPIRE --> ARCHIVE INUSE --> REVOKE --> ARCHIVE style INUSE fill:#e8f5e9 style REVOKE fill:#ffcdd2

Renewal vs Rekey

Operation Key Serial Use Case
Renewal Same New Key still secure, only extend validity
Rekey New New Compromise suspected, algorithm change

Best Practice: During PQ migration, always perform rekey to switch from classical to ML-DSA.

Automation

Trigger Action Lead Time
30 days before expiry Warning email -
14 days before expiry Start auto-renewal -
7 days before expiry Escalation -
Expiry Deactivate certificate -

Quick Start Code

Renewal

// Load existing certificate
var oldCert = ctx.LoadCertificate("server.crt.pem");
var privateKey = ctx.LoadPrivateKey("server.key.pem", password);
 
// Renewal: New certificate with same key
var csr = ctx.CreateCertificateRequest(privateKey, oldCert.Subject);
var newCert = ctx.IssueCertificate(csr, issuerCert, issuerKey, validDays: 365);
 
newCert.ToPemFile("server-renewed.crt.pem");

Rekey

// Generate new key pair (e.g., migration to ML-DSA)
using var newKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
 
// CSR with new key, same subject
var csr = ctx.CreateCertificateRequest(newKey, oldCert.Subject);
var newCert = ctx.IssueCertificate(csr, issuerCert, issuerKey, validDays: 365);
 
// Securely destroy old key
oldKey.Dispose();
Category Relationship
3. Issue Certificates New certificate for rekey
6. Revocation Revoke old certificate after rekey
11. Key Management Key rotation

« ← 3. Issue Certificates | ↑ Scenarios | 5. Validation → »

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

, , , , ,