Renewing a SubCA Signed by an External CA

When you renew a SubCA signed by an external CA you create a new request that is sent to the external CA. The External CA issues a new certificate that you import in your SubCA.

You can renew the SubCA in two ways:

  1. Using the same CA signing keys.
  2. Generating new CA signing keys.

To renew a CA go to "Certificate Authorities" select the SubCA and use the button "Renew CA" in the bottom of the page. The CA's Crypto Token must be active to make a certificate signing request (and optionally for key generation).

When you generate new keys for the SubCA, the new keys will not be used until you upload a new CA certificate for this key pair. Until then, the CA will continue to work as if nothing has happened (and issue certificates with the current CA signing key pair).