Sie befinden sich hier: start » en » Internal Documentation » WvdS Crypto Library » 6. Scenarios » 4. Certificate Management » Scenario 4.2: Rekey (New Key)

Scenario 4.2: Rekey (New Key)

Category: Certificate Management
Complexity: ⭐⭐⭐⭐ (High)
Prerequisites: Existing certificate
Estimated Time: 20-30 Minutes

Description

This scenario describes Rekey - issuing a new certificate with a new key pair. Rekey is necessary for suspected compromise, algorithm upgrades, or key strength increases.

When Rekey is Required:

  • Suspected key compromise
  • Migration from RSA to ML-DSA (Post-Quantum)
  • Increasing key length
  • Routine rotation (security policy)
  • Maximum key lifecycle expiration

Workflow

flowchart LR OLD[Old Certificate] --> GEN[New Key Pair] GEN --> CSR[New CSR] CSR --> ISSUE[New Certificate] ISSUE --> DEPLOY[Deployment] DEPLOY --> REVOKE[Revoke Old] GEN --> BACKUP[Key Backup] style GEN fill:#fff3e0 style ISSUE fill:#e8f5e9

Code Example (C#)

using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
 
using var ctx = PqCryptoContext.Initialize();
 
// Load old certificate (for Subject/SANs)
var oldCert = ctx.LoadCertificate("server.crt.pem");
 
// Load CA
var caCert = ctx.LoadCertificate("intermediate-ca.crt.pem");
var caKey = ctx.LoadPrivateKey("intermediate-ca.key.pem", "CaPassword!");
 
// Generate NEW key pair (PQ upgrade!)
using var newKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
 
// Copy Subject and SANs from old certificate
var oldSans = ctx.GetSubjectAlternativeNames(oldCert);
 
// New CSR with new key
var csr = ctx.CreateCertificateRequest(
    newKey,
    oldCert.SubjectName,  // Preserve subject
    new ExtBuilder()
        .SubjectAlternativeName(oldSans)  // Preserve SANs
        .Build()
);
 
// Issue new certificate
var newCert = ctx.IssueCertificate(
    csr,
    issuerCert: caCert,
    issuerKey: caKey,
    serialNumber: ctx.GenerateSerialNumber(),
    validDays: 365,
    extensions: new ExtBuilder()
        .BasicConstraints(ca: false, critical: true)
        .KeyUsage(KeyUsageFlags.DigitalSignature | KeyUsageFlags.KeyEncipherment)
        .ExtendedKeyUsage(ExtKeyUsage.ServerAuth)
        .SubjectKeyIdentifier(newKey.PublicKey)  // NEW SKI!
        .AuthorityKeyIdentifier(caCert)
        .CrlDistributionPoint("http://crl.example.com/intermediate.crl")
        .Build()
);
 
// Save
newCert.ToPemFile("server-rekeyed.crt.pem");
newKey.ToEncryptedPemFile("server-rekeyed.key.pem", "NewKeyPassword!");
 
Console.WriteLine("Rekey completed:");
Console.WriteLine($"  Old Algorithm: {oldCert.PublicKey.Oid.FriendlyName}");
Console.WriteLine($"  New Algorithm: ML-DSA-65");
Console.WriteLine($"  Old SKI: {oldCert.GetSubjectKeyIdentifier()}");
Console.WriteLine($"  New SKI: {newCert.GetSubjectKeyIdentifier()}");

PQ Migration: RSA to ML-DSA

For migration from classical to Post-Quantum algorithms: 

// Hybrid Rekey: RSA + ML-DSA in parallel
public class HybridRekey
{
    public static (X509Certificate2 classical, X509Certificate2 pq) PerformHybridRekey(
        X509Certificate2 oldRsaCert,
        PqCryptoContext ctx,
        X509Certificate2 caCert,
        AsymmetricAlgorithm caKey)
    {
        // 1. Renew RSA key (transition phase)
        using var newRsaKey = RSA.Create(4096);
        var rsaCsr = ctx.CreateCertificateRequest(newRsaKey, oldRsaCert.SubjectName);
        var rsaCert = ctx.IssueCertificate(rsaCsr, caCert, caKey, validDays: 365);
 
        // 2. Create ML-DSA key (future)
        using var mlDsaKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65);
        var pqCsr = ctx.CreateCertificateRequest(mlDsaKey, oldRsaCert.SubjectName);
        var pqCert = ctx.IssueCertificate(pqCsr, caCert, caKey, validDays: 365);
 
        return (rsaCert, pqCert);
    }
}

Industry-Specific Rekey Requirements

Industry Maximum Key Lifetime Rekey Trigger Special Feature
Financial Sector 2 years HSM policy FIPS 140-3 compliance
Healthcare 3 years Audit finding DiGAV conformity
Energy/SCADA 5 years Maintenance window Offline capability
Automotive Vehicle lifetime Security update OTA mechanism

Rekey Checklist

Before Rekey:

  1. [ ] Backup old key (if still needed)
  2. [ ] Identify all systems using the certificate
  3. [ ] Create deployment plan
  4. [ ] Prepare rollback plan
  5. [ ] Communicate maintenance window

After Rekey:

  1. [ ] Deploy new certificate on all systems
  2. [ ] Test connections
  3. [ ] Revoke old certificate
  4. [ ] Securely destroy old key
  5. [ ] Update documentation
Relationship Scenario Description
Alternative 4.1 Renewal Same key
Next Step 6.4 Revoke Old certificate
Prerequisite 11.1 Key Generation New key
Related 11.5 Key Destruction Delete old key

« ← 4.1 Renewal | ↑ Management Overview | 4.3 Archival → »

, , , , ,

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

Zuletzt geändert: on 2026/01/30 at 06:53 AM

Seiten-Werkzeuge