Skip to main content

Renew certificates via SCEP

To renew a certificate from a SCEP-enabled certificate profile in DigiCert​​®​​ Trust Lifecycle Manager:

  • The certificate must be within the renewal window configured in the certificate profile.

  • The CSR must have same Subject DN values as the original certificate. You can reuse the original CSR or create a new CSR with the same Subject DN values.

  • The CSR in the renewal request must be signed using the same private key that was used to generate the original certificate.

  • Send the CSR to the SCEP Server URL for the certificate profile, but use the renew operation in your SCEP request instead of the enroll operation.

Notice

See Enroll certificates via SCEP for additional information about how to create a CSR for SCEP-based certificate requests.

Convert private key from PEM to DER

The CSR in each SCEP renewal request must be signed using the same private key that was used to generate the CSR for the original certificate. The SCEP server for Trust Lifecycle Manager expects CSRs to be in DER format.

Use the following command format to convert a private key from PEM to DER format for use when signing a DER-encoded CSR.

openssl pkcs8 -topk8 -inform PEM -outform DER -in device.pem.key -out device.der.key -nocrypt

In this example:

  • The original PEM-encoded private key file is device.pem.key.

  • The converted DER-encoded private key is output to the device.der.key file.

Test renewal using the DigiCert SCEP client

The following command shows how to test renewal using the DigiCert SCEP client.

java -jar ./DigicertScepClient.jar -url <scep-url> -operation renew -cert out/device.der.cer -key device.der.key -csr device.der.csr

In this example:

  • Substitute <scep-url> with the value of the SCEP Server URL from your certificate profile in Trust Lifecycle Manager.

  • The operation is specified as renew to request renewal of the original certificate via SCEP.

  • The original certificate is stored in file out/device.der.cer, private key is in device.der.key, and CSR is device.der.csr. All files are DER-encoded.

  • The DigiCert SCEP client uses the DER-encoded private key to sign the CSR before sending the renewal request to the SCEP server.

    Notice

    If you don't have the DigiCert SCEP client, contact your DigiCert account representative to request access.

In this section: