To transition an existing certificate to a more cryptographically secure algorithm, you can rekey the certificate.
The rekeying process is designed to ensure a smooth migration while maintaining compatibility with existing systems.
Review the following statements before you begin to rekey a certificate:
The certificate must have an online status.
The corresponding keypair can be either online or offline; however, dynamic keypairs cannot be rekeyed.
To implement automatic rekeying, auto-renewal must be enabled in the certificate profile.
HSM does not support PQC algorithms.
If a rekey is initiated for an HSM keypair using a PQC algorithm, then the new keypair will be generated on disk, instead of HSM.
CertCentral does not support all algorithms.
PQC and EdDSA algorithms will not appear as options in CertCentral profiles.
Certificate renewal only applies to the default certificate of the production keypair.
Sign in to DigiCert ONE.
Navigate to the Manager menu icon (top-right), select Software Trust .
In the left navigation menu, select Certificates > Certificate profiles.
Locate and select the desired certificate profile.
Select the pencil icon to edit.
For Auto-renew, select Yes.
For Auto-renew scope, select Apply to new and existing certificates.
Select to activate Initiate re-key process upon certificate auto-renewal.
Select the desired Re-key algorithm and Security level.
If you are using an HSM keypair with a PQC algorithm, then a warning will display.
Save your changes.
Afterwards, when a certificate reaches the renewal period, will:
Generate a new keypair based on rekey settings.
Generate a new certificate using the newly created keypair.
Transition the keypair by renaming the new keypair to match the name of the old keypair.