4. Certificate Management
Scenarios: 4
FFI Functions: ~30
Status: ⏳ Planned
This category covers all scenarios for managing the certificate lifecycle. Renewal, rekey, archival, and backup of certificates.
Scenarios
| ID | Scenario | Description | Complexity | Status |
|---|---|---|---|---|
| 4.1 | Certificate Renewal | Extend expiring certificate | ⭐⭐⭐ | ⏳ |
| 4.2 | Key Renewal (Rekey) | New key pair, new certificate | ⭐⭐⭐ | ⏳ |
| 4.3 | Certificate Archival | Securely store expired certificates | ⭐⭐ | ⏳ |
| 4.4 | Backup and Recovery | Backup certificates and keys | ⭐⭐⭐ | ⏳ |
Lifecycle
flowchart LR
subgraph ACTIVE["🟢 Active"]
NEW[Newly Issued]
INUSE[In Use]
end
subgraph RENEWAL["🔄 Renewal"]
RENEW[Renewal]
REKEY[Rekey]
end
subgraph END["⏹️ End"]
EXPIRE[Expired]
REVOKE[Revoked]
ARCHIVE[Archived]
end
NEW --> INUSE
INUSE --> RENEW --> INUSE
INUSE --> REKEY --> INUSE
INUSE --> EXPIRE --> ARCHIVE
INUSE --> REVOKE --> ARCHIVE
style INUSE fill:#e8f5e9
style REVOKE fill:#ffcdd2
Renewal vs Rekey
| Operation | Key | Serial | Use Case |
|---|---|---|---|
| Renewal | Same | New | Key still secure, only extend validity |
| Rekey | New | New | Compromise suspected, algorithm change |
Best Practice: During PQ migration, always perform rekey to switch from classical to ML-DSA.
Automation
| Trigger | Action | Lead Time |
|---|---|---|
| 30 days before expiry | Warning email | - |
| 14 days before expiry | Start auto-renewal | - |
| 7 days before expiry | Escalation | - |
| Expiry | Deactivate certificate | - |
Quick Start Code
Renewal
// Load existing certificate var oldCert = ctx.LoadCertificate("server.crt.pem"); var privateKey = ctx.LoadPrivateKey("server.key.pem", password); // Renewal: New certificate with same key var csr = ctx.CreateCertificateRequest(privateKey, oldCert.Subject); var newCert = ctx.IssueCertificate(csr, issuerCert, issuerKey, validDays: 365); newCert.ToPemFile("server-renewed.crt.pem");
Rekey
// Generate new key pair (e.g., migration to ML-DSA) using var newKey = ctx.GenerateKeyPair(PqAlgorithm.MlDsa65); // CSR with new key, same subject var csr = ctx.CreateCertificateRequest(newKey, oldCert.Subject); var newCert = ctx.IssueCertificate(csr, issuerCert, issuerKey, validDays: 365); // Securely destroy old key oldKey.Dispose();
Related Categories
| Category | Relationship |
|---|---|
| 3. Issue Certificates | New certificate for rekey |
| 6. Revocation | Revoke old certificate after rekey |
| 11. Key Management | Key rotation |
« ← 3. Issue Certificates | ↑ Scenarios | 5. Validation → »
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/30 at 06:53 AM
