Skip to main content

Rekey certificates

To transition an existing certificate to a more cryptographically secure algorithm, rekey the certificate.

The rekeying process is designed to ensure a smooth migration while maintaining compatibility with existing systems.

Before you begin

Before you rekey a certificate, review the following statements:

  • The certificate must have an online status.

  • The corresponding keypair can be online or offline; however, dynamic keypairs can't be rekeyed.

  • To implement automatic rekeying, auto-renewal must be enabled in the certificate profile.

  • HSM doesn't support PQC algorithms.

    • If a rekey is initiated for an HSM keypair using a PQC algorithm, then the new keypair is generated on disk, instead of HSM.

  • CertCentral doesn't support all algorithms.

    • PQC and EdDSA algorithms won't appear as options in CertCentral profiles.

  • Certificate renewal only applies to the default certificate of the production keypair.

Rekey existing certificates

  1. Sign in to DigiCert ONE.

  2. In the Software Trust menu, go to Certificates > Certificate profiles.

  3. Select the desired certificate profile.

  4. Select the edit (blue_edit_pencil_icon.png) icon.

  5. For Auto-renew, select Yes.

  6. For Auto-renew scope, select Apply to new and existing certificates.

  7. Select Initiate re-key process upon certificate auto-renewal.

  8. Select the desired Re-key algorithm and Security level.

    • If you are using an HSM keypair with a PQC algorithm, then a warning will display.

  9. Select Update certificate profile.

Afterwards, when a certificate reaches the renewal period, 1.775.0 will:

  • Generate a new keypair based on rekey settings.

  • Generate a new certificate using the newly created keypair.

  • Transition the keypair by renaming the new keypair to match the name of the old keypair.

Nesta secção: