In PKI, if an existing key is lost or compromised, rekeying a certificate generates a new key pair for the certificate. 


  • Rekeying a certificate will rekey the server certificates. 
  • In case of CSR and smart card token-based certificates, rekey certificate will create new artificiality against the same request and it will not revoke the previous certificate.
  • In ADSS Web RA, rekeying is not available for expired or revoked certificates. 
  • An administrator will be able to view, decline or approve rekey requests.


As a pre-requisite, the rekey certificate option should be enabled in the Policy section from the admin portal.  


An operator can initiate rekey requests from both admin and web portal. See Rekey Requests

A user will be required to agree to a Subscriber Agreement while rekeying a certificate. 


This section lists all the rekey requests.


Expand Requests > Rekey Requests from the left menu pane. The Rekey requests listing will appear. The Request By section will display Citizen ID below the user name if it is enabled in the Configurations > Default Settings.



If vetting is enabled from the configurations section, rekey requests initiated from the web portal can be approved from the admin portal. 


  1. Expand Requests >  Certificates from the left menu pane Certificates.
  2. Click the button against the certificate that you want to rekey and click on More Actions.



  1. Certificate action screen will be displayed. Select Rekey Certificate from the drop down, select the confirmation button 'Are you sure you want to rekey this certificate?' and then click View Request. 



  1. The Certificate Signing Request (CSR) screen will appear. Upload a valid CSR and then click >. 



  1. Subject Distinguished Name (SDN) screen, they will appear in a disabled form. Click >. 



  1. The Subject Alternative Name (SAN) screen will appear. Click >.



  1. The Certificate Validity screen will appear. Click >.



  1. The Domain Ownership Verification screen will appear with the CAA record as unverified. Click the Verify button to validate the CAA record. 



  1. Once the CAA record is verified, click Rekey. 



  1. The certificate rekey screen will appear, click Rekey. 



  1. Once the certificate rekey process is complete, a certificate will be generated. 




Second Factor Authentication 


If second factor authentication is enabled on certificate requests, the configured authentication mechanism will function accordingly. When a user clicks on the Generate button, the authentication window will appear, and once it accepts the selected method, it will generate a certificate. 


The authentication mechanism can be one of the following:


  • SMS OTP Authentication 
  • Email OTP Authentication 
  • Email & SMS Authentication
  • SAML Authentication 
  • Active Directory Authentication 
  • Azure Active Directory Authentication
  • OIDC Authentication