6.6 Certificate renewal
If a certificate policy is set to Automatic Renewal, MyID creates a job to renew the certificate when it comes within a specified number of days of expiry. The number of days is specified in the TaskCountdown table; see section 13.3.1, Triggering the notification for details.
When MyID performs a certificate renewal, a re-key will also take place (a new key will be generated, and the new certificate issued against the new key). If any changes to user data that appears on the certificate have taken place, the updated user data will appear on the new certificate.
If the certificate renewed is also present on any other devices, an update job is automatically created for these devices so that they will recover a copy of the new certificate.
Note: The original certificate is allowed to expire – it is not revoked.
Users can collect certificate renewal jobs in the following ways:
- Using the Self-Service App.
- Using the Self-Service Kiosk
- From a hyperlink in an email notification that launches MyID Desktop at the Collect My Updates workflow.
- From the Collect My Updates workflow in MyID Desktop.
The behavior of archived and non-archived certificates is different, and also the behavior of devices with managed containers (such as PIV cards) and non-managed devices.
For non-managed devices:
- Renewed archived certificates are placed in a new container on the device, and the credential profile historic certificate configuration determines whether to remove any previous certificates from the device so that the number of historic certificates does not exceed the configured limit.
- Non-archived certificates that have been renewed are removed from the device automatically after the new certificate is issued.
For managed devices:
- Archived certificates that have been renewed are overwritten by the new certificate and automatically recovered to historic containers according to the credential profile configuration.
- Non-archived certificates that have been renewed are overwritten by the new certificate and are therefore no longer present on the device.
- Historic archived certificates may be removed from the device so that the number of historic certificates does not exceed the configured limit in the credential profile.
6.6.1 Credential lifetimes and certificate renewal
The lifetime of the smart card, as configured in the credential profile, may have an effect on your certificate renewals.
- If the Restrict certificate lifetimes to the card configuration option is set to Yes, the certificates are issued with lifetimes that fall within the lifetime of the smart card. If this option is set to No, the renewed certificates may exceed the lifetime of the smart card.
- The Card Renewal Period configuration option determines whether you can request a renewed card or carry out automatic certificate renewals. By default this is set to 42; so, for example, if the card has 50 days left when the certificates expire, you cannot request a renewed smart card, but automatic certificate renewals take place; if the card has 30 days left when the certificates expire, you cannot automatically renew the certificates, but must request a replacement smart card instead.
Note: There is no automatic process for renewing smart cards like there is for renewing certificates. However, if the certificates expire within the Card Renewal Period window, this triggers a notification that the card holder must request a replacement smart card.
6.6.2 Known issues
-
IKB-306 – Extra email notification sent when renewing encryption certificates
If you use the Self-Service App to renew a credential that contains an encryption certificate, and which has a credential profile configured for logon codes, at the end of the certificate collection process you may receive an extra email notification providing an unnecessary logon code.