This is a back-up process of public and private key material over multiple systems or devices. It’s a tool that prevents the re-creation of private and public key material from the backup. The key materials are backed up and then mathematically distributed across several systems or devices. Usually three people are assigned specific, separate job responsibilities within different portions of the organization. These clarifications impede attempts to recover keys without permission. The mathematical equation supports any number of users up to 255 for the splitting activity.
Assuming a key can be used throughout its validation period without revocation, it is then renewed. Identity verification is not required to obtain a new certificate. If the certificate is in good standing, and the key is renewed with the same CA, the old key can be used to sign the request for the new key. There should be established trust between the renewer and the CA based on the person’s credentials.
Key update is a second type of renewal where a new key is produced by modifying the existing key. The process of key renewal depends on the user and CA requirements. The process is also applied with a CA’s key pair as those keys undergo renewal as well. A CA can also use its old key to sign the new key. The PKI renewal process is performed by creating three new keys.
- The CA produces another self-signed certificate. This time, the CA signs the new public key using the old private key that is about to expire.
- Next, the CA server signs the old public keys with the new private key. This is done to avoid an overlap between the new key activation and old key expiration.
- Lastly, the new public key is signed with the new private key.
The reason for these steps is based on two important points:
- Since a CA verifies the credentials of other parties, rigorous steps need to be implemented when renewing the CA’s own certificate.
- Creating numerous keys makes the changeover from old keys to new keys transparent to the end user.
When a key pair and certificate validation expire, they must be destroyed. If the key pair is used for digital signatures, the private key portion should be destroyed to prevent future signing attempts. Key pairs used for privacy purposes can be archived in case it needs to be used to decrypt archived data that was encrypted using it. The digital certificate must be added to the CRL as soon as the certificate is no longer valid. This process occurs irrespective of the archive or non-archive status of the private key for future use. The extra step of notifying individuals who use the certificate of its invalid status may be needed depending on the sensitivity level.
