6.5 Certificate renewal
If a certificate policy is set to Automatic Renewal, MyID creates a job to renew the certificate when it comes within a specified number of days of expiry. The number of days is specified in the TaskCountdown table; see section 11.3.1, Triggering the notification for details.
When MyID performs a certificate renewal, a re-key will also take place (a new key will be generated, and the new certificate issued against the new key). If any changes to user data that appears on the certificate have taken place, the updated user data will appear on the new certificate.
If the certificate renewed is also present on any other devices, an update job is automatically created for these devices so that they will recover a copy of the new certificate.
Note: The original certificate is allowed to expire – it is not revoked.
Users can collect certificate renewal jobs in the following ways:
- Using the Self-Service App.
- From a hyperlink in an email notification that launches MyID Desktop at the Collect My Updates workflow.
- From the Collect My Updates workflow in MyID Desktop.
The behavior of archived and non-archived certificates is different, and also the behavior of devices with managed containers (such as PIV cards) and non-managed devices.
For non-managed devices:
- Renewed archived certificates are placed in a new container on the device, and the credential profile historic certificate configuration determines whether to remove any previous certificates from the device so that the number of historic certificates does not exceed the configured limit.
- Non-archived certificates that have been renewed are removed from the device automatically after the new certificate is issued.
For managed devices:
- Archived certificates that have been renewed are overwritten by the new certificate and automatically recovered to historic containers according to the credential profile configuration.
- Non-archived certificates that have been renewed are overwritten by the new certificate and are therefore no longer present on the device.
- Historic archived certificates may be removed from the device so that the number of historic certificates does not exceed the configured limit in the credential profile.