Renewal of Server CertificatesChapter 24 Issuing and Managing Server Certificates 787Renewal of Server CertificatesEvery certificate issued by Certificate Management System has a validity periodthat determines its expiration date. The validity period of a certificate isdetermined by the validity constraints policy settings at the time the certificate wasissued (see section “ValidityConstraints Plug-in Module” in CMS Plug-Ins Guide).For a certificate to be valid beyond its expiration date, it must be renewed.Otherwise, the certificate becomes invalid, and the entity owning the certificatewill no longer be able to use it. Also, the expired certificate will take up space inyour publishing directory and in the internal database of Certificate ManagementSystem.Note that the Job scheduler component of Certificate Management System enablesyou to schedule a job for removing expired certificates from the publishingdirectory. For details, see “Configuring a Subsystem to Run Automated Jobs” onpage 545.Certificate Management System allows server administrators to renew theircertificates by using the server enrollment form hosted by a Certificate Manager orRegistration Manager. The renewal process is similar to the enrollment process inthat the administrators must manually generate the certificate-signing requestusing the server’s key pair, paste that request in the manual enrollment form, andsubmit the request. For details, see “Certificate Issuance to Servers” on page 777.For renewing the certificates of a Certificate Manager, Registration Manager, orData Recovery Manager, see “Renewing Certificates for the Subsystems” onpage 474.Revocation of Server CertificatesCertificate Management System allows a certificate to be revoked by an end user(the original owner of the certificate), a server administrator, or by a CertificateManager or Registration Manager agent. End users can revoke certificates by usingthe Revocation form provided in the end-entity services interface. Agents canrevoke end-entity certificates by using the appropriate form in the Agent Servicesinterface. Certificate-based (SSL client authentication) orchallenge-password-based authentication is required in both cases; for details, see“Authentication of End Users During Certificate Revocation” on page 497.• An end user can revoke only those certificates that contain the same subjectname as in the certificate presented for authentication; if using a challengepassword, the user can revoke only the certificate that is associated with thatpassword. After successful authentication, the server lists the certificates