Certificate Renewal Process for
Registration Authorities and Agents
Requesting/Renewing your agent certificate
- You should receive a renewal
notice from the CA about 30 days before expiration.
- You must send an S/MIME signed
email to email@example.com
- Attach to your email a base 64 (PEM)
copy of the renewed certificate
- You must sign the email with
either your present or renewed certificate
- You must use the template
provided in Section A.3.3 from
Policies that relate to your Agent
- The agent role is tied to a
particular certificate (see below).
- Subscription model for agents:
provides evidence that you want this agent role to continue,
and with what certificate.
- Agents can delegate the right
to act in the role of agents to other certificates that they
own themselves (that are bound to their identity). They cannot
delegate that right to a different person, without going
through the formal approval process.
- This renewal process
demonstrates to a reasonable certainty that you still possess
the original private key and that you are in control of the
renewal process and renewed certificate. Signing the account
update/renewal request gives us a simple demonstration of this
and the links to the appropriate operations in the service.
ESnet CA managers responsibilities
- ESnet CA managers will verify
that the enclosed certificate is appropriate for the intended
task, including its link to the identity of the agent.
- The ESnet CA managers may, at
their discretion, verify this renewal request by other means.
- The agent role binds an agent
account to a particular certificate (serial number and key
pair), or set of certificates. Renewal of a certificate in the
CMS product does not automatically entitle the renewed
certificate to continue in the role of agent.
Renewed certificates are not
valid until the moment of expiration of the original
certificate. The CMS product does not allow us to add invalid
(including not-yet-valid) certificates to agent accounts.
Agents should expect an outage at the cross-over time, and
are encouraged to contact ESnet CA management to make sure the
new certificate is installed promptly.
$Id: AgentRequest.html,v 1.5 2010/07/19 22:53:43 helm Exp $