Public Key is different when renew certificate

  • Javier Arjona Sanchez

    EJBCA 4.0.16
    Operating System: Solaris 10
    Jboss 5.1.0

    When I renew my certificate, my public key is different that my before certificate. Why? Documentation says "Certificate renewal simply means issuance of a new certificate containing the same public key as an already issued certificate"

    I have renew module enabled. When I renew certificate using "Renew Browser Certificate", later, I download new certificate using "Create Keystore" option from public web.

    I have this CA configuration:

    -Enforce unique public keys --> Enforce check it
    -Enforce unique DN --> Enforce check it
    -Enforce unique Subject DN SerialNumber --> Enforce NO check it
    -Use Certificate Request History --> Use check it
    -Use User Storage --> Use check it
    -Use Certificate Storage --> Use check it


  • Tomas Gustavsson

    You need to use keystore type "user generated". Create keystore, with a keystore type p12,jks or pem, will always generate a new server generated key pair.

  • Javier Arjona Sanchez

    Hi Tomas,
    But then, I have one problem, because I need two functionalities:
    1) I need key recovery available in certificates --> For this, I need p12 or pem token type
    2) I need renew certificates available with the same public key --> For this, I need "user generated"

    How I can have both functions at once? Are they incompatible?

    Thanks and Regards

  • Tomas Gustavsson

    Yes that is incompatible. What you want to do is key recovery. With key recovery you can choose to issue a new certificate, or reuse the old one.


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see or contact for more information.

  • Javier Arjona Sanchez

    hi Tomas again,
    I don´t understand you. How can I choose this?
    I want to do this:

    First I create a new user with P12 token and issue a new certificate with this user. If I need recovery this certiticate "n" times, I want have button "Key Recoverable" all times avaliable in certificate view. If this certificate is "expiring" I want to renew this certificate with the same public key.

    Then, If I have in my End Entity Profile the next configuration in "Key Recoverable" section:
    - "Use" check it
    - "Default" check it
    - "Reuse old certificate" check it

    How can I do renew the certificates with same public key?

    Thanks and Regards

  • Tomas Gustavsson

    edit thé end entity and uncheck reuse old certificate. then a new certificate will be issued when you keyrecover the certificate.

  • Javier Arjona Sanchez

    Ok, then, when I want to recovery the same certificate I need to have check reuse old certificate and when I want to renew the certiticate I need to have uncheck reuse old certificate.

    Is it correct?

    Thansk for all Tomas and regards


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks