000025675 - How to renew a user certificate that is about to expire

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000025675
Applies ToKeon Certificate Authority 6.0.2
Keon Registration Authority 6.0.2
IssueHow to renew a user certificate that is about to expire
Several user certificates are about to expire
ResolutionThere are three methods to renew user certificates that are about to expire:

1. The administrator or vettor can send an email notification to the user just before the user's certificate is due to expire using the "cert-expiry-notify.xuda template". This template enables CA Administrators to enter a certificate expiry date range for a specific CA. The default certificate expiry range is one month from the day of the CA Administrator?s query. All users whose certificate is within the range specified by the administrator will be emailed.

Administrators and Vettors connect directly to the notification template using the following URL:


NOTE: The solution titled How to email a different link to users with certificates about to expire describes how to forward the users to the enrollment server if necessary (using the default configuration is the preferred solution).

2. The user can connect directly to the enrollment server using a Web browser to renew the certificate without vettor intervention.

 a. The administrator or vettor should define the ?Certificate Renewal Policies? in the corresponding Jurisdiction(s) to allow the manual renewal of end-entity certificates that are about to expire. The policies can be set as follows:

 - In the KCA Web interface, go to the "CA Operations" workbench
 - On the left pane, select the CA that you want to edit
 - On the right pane, under the "Jurisdictions Configuration:" heading, select the Jurisdiction to edit and click on "Configure"
 - Select "Certificate Renewal Policy" from the "Sections" drop-down list on the Jurisdiction Configuration page
 - Consult page 126 of the "RSA Keon Certificate Authority 6.0.2 - Administrator?s Guide" regarding how to configure the policies

 b. The user can use the following procedure to renew their certificate:

 - Using a Web browser, connect to the enrollment server
 - Under the "Jurisdiction Operations" heading, select a Jurisdiction from the drop-down list and click "Continue"
 - Click the Re-issue your client certificate link
 - Click OK on the dialog box
 - When prompted to select a certificate, select the one that will be renewed
 - Click on "Renew Certificate"
 - Click "Install Client Certificate"
 - Click on "Install" and, if prompted, allow the Active-X control to be downloaded

3. The administrator or vettor can manually renew any user certificate, in this case the "Certificate Renewal Policies" do not apply:

 a. The following procedure can be followed to manually renew the certificate:

 - Go to the "Certificate Operations" workbench
 - On the left pane, under the "Requests" heading, click on "Approved"
 - Select the appropriate Jurisdiction and look for the certificate to be renewed (listed as Approved)
 - Review and edit the information in the certificate request, if necessary
 - If profiles are available, select a profile from the list
 - Click Issue Certificate
 - If you selected any certificate profiles, enter the appropriate values for each extension
 - Click on "Create Certificate"

NOTE: If Keon Web PassPort was used to enroll for the certificate, review the solution titled Error: 'req-authorize.xuda: Line 506: [XrcNOTFOUND] unable to locate requested member or object. Unable to sign certificate [unable to locate requested member or object]' for further information.
Legacy Article IDa14442