CertificateRenewalWindowExt Plug-in ModuleChapter 4 Certificate Extension Plug-in Modules 153same chapter. For example, if you want to include different policy statements indifferent types of certificates, you should create multiple instances of the policymodule and configure each instance with the appropriate policy OID and predicateexpression.CertificateRenewalWindowExt Plug-in ModuleThe CertificateRenewalWindowExt plug-in module implements the certificaterenewal window extension policy. This policy enables you to configure CertificateManagement System to add the Certificate Renewal Window Extension to certificates.The extension, which must be noncritical, aids in managing the life cycle of acertificate by specifying a process to follow for renewing a certificate and bydefining a time window when automatic renewal of the certificate should beattempted.Every certificate issued by Certificate Management System has a validity periodbeyond which it cannot be used. In order to continue to participate in the PKI-usingsystem beyond this validity period, the entity owning the certificate must renewthe certificate. Renewal of a certificate essentially means getting a new certificatefor the existing key pair with a new validity time period (and updated attributes).Once a certificate is issued, the owner of the certificate may attempt its renewal anytime. To prevent certificate owners from renewing their certificates too often andthus reduce the overhead of processing new certificate requests, the CA can use apolicy that restricts the time period when certificate renewal may occur. Forexample, the CA can use a policy that limits the renewal process to the last fewweeks or days of validity of the certificate, thus defining a certificate renewalwindow. In general, the renewal window must be sufficient for the renewal tooccur, but at the same time delay the renewal as long as possible to best utilize acertificate’s life time.The certificate-renewal process is often different than the enrollment process anentity uses to obtain the certificate; this is because the entity already owns a keypair that is associated with his or her identity. For example, in CertificateManagement System, the certificate-renewal process for end users is different thanthe enrollment process they used to obtain the certificate. To renew theircertificates, end users go to the certificate-renewal interface of CertificateManagement System and submit their original certificates; for details, see section“Authentication of End Users During Certificate Renewal” in Chapter 15, “SettingUp End-User Authentication” of CMS Installation and Setup Guide.