Renewal, Re-key, and Re-issuance

Someone asked me a question yesterday and I initially wanted to just point them at a document or website rather than type out my explanation. Unfortunately, 5 minutes of searching yielded no results. So, below is my guide to the difference between renewal, re-key, and re-issuance of an X.509 public key certificate.

• Renewal is when all the identifying information and the public key from the old certificate are duplicated in the new certificate, but there is a different (longer) validity period.

• Re-key is when all the identifying information from the old certificate is duplicated in the new certificate, but there is a different public key and (usually) a different validity period.

• Re-issuance is when a certificate holder registers for a new certificate, but there is an opportunity to change the identifying information (e.g. new email address, new last name, etc.) or other information (corrected certificate policies, modified key usage, etc.) from what was in the old certificate. The new certificate also has a different public key and a different validity period from the old certificate. ( Thanks to Carl Wallace for suggesting the addition of non-ID information changes. )

OK, so that’s one page for my as-yet unwritten book on PKI. I welcome ideas for other pages!