New certificate for old keys

Usually every time when you request a new certificate you also generate a new key pair.

In special situations it can happen that you get a new certificate for an existing key pair. Then it may be difficult to replace the certificate without loosing the private key because most software does not support this situation.

Then you should proceed as follows:

  1. Export your digital ID out of your programs into a PKCS#12 Datei.

  2. Extract your private key from the PKCS#12 file.

  3. Assemble a new PKCS#12 file from the private key and the new certificates.

  4. Import the new assembled PKCS#12 file into your programs

Of course all file names below are examples—you can freely choose file names.

1. Export digital ID

You should have done this step already when picking up your certificate but you can always repeat this step.

Please note the first part of each guide under Request and pick up.

2. Extract your private key

To do so, you have to use the OpenSSL software from the command prompt. On Linux and Macintosh computers this software should always be installed. Owners of Windows computers can download the software from www.openssl.org and install it.

If digital-id.p12 is the PKCS#12 file, you can use the following command (type everything in one line) to extract your private key into a file private-key.pem:

openssl pkcs12
  -in digital-id.p12
  -out private-key.pem
  -nocerts

You will be asked for passwords several times because the private key is first unpacked and then packed again. But you can take the same password for both files.

3. Assemble a new PKCS#12 file

Here, too, you have to use the OpenSSL software. You need three files:

  • Your private key saved above as private-key.pem.

  • Your new certificate certificate.pem. You can find it in the attachment of the email sent to you by the certification authority.

  • The intermediate certificates used for your certificate. Save this file as all-ca.pem, it contains all eligible certificates.

With the command below (type everything in one line) you create a new PKCS#12 file new-digital-id.p12, containing the private key and all needed certificates (and only them):

openssl pkcs12 -export
  -in certificate.pem
  -inkey private-key.pem
  -chain -CAfile all-ca.pem
  -name "New digital ID"
  -out new-digital-id.p12

In place of New digital ID you should give name and date or similar details. Many programs use this name when displaying a list of digital IDs.

Again you will be asked for passwords several times because again the private key is first unpacked and then packed again. But again you can take the same password for both files.

4. Import new PKCS#12 file

You find the guides for this step under Import and use.