<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I read and reread your email a few times but am still not sure why
you want the CA to be responsible for giving you the p12, especially
the CA has no idea what password was used for enveloping. And why
does the user need the private key if the user is supposed to
already have the private key?<br>
The KRA does allow you to recover keys if you lost your keys, but it
requires agent approval.<br>
<br>
Could the user not just get the renewed cert, import it into the nss
db, and then export the cert and its keys into a p12 themselves?
Why use an old p12?<br>
<br>
Christina<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/27/2015 04:20 AM, Marcin
Mierzejewski wrote:<br>
</div>
<blockquote
cite="mid:CANDaADu=3M9wfjZB3Y9tTULHbhOirpD-a2nMFMCxHMeppSSN7Q@mail.gmail.com"
type="cite">
<div dir="ltr">I'm trying to generate new .p12 file for renewed
certificate, becouse old version p12 file after that renewation
has private key linked to certificate which is not the latest
one(however keypair and all subject data are the same)
<div>What is my idea?</div>
<div>- create "caManualRenewal" enrollment</div>
<div>- read crmf from enrollment</div>
<div>- get private key from crmf</div>
<div>- approve renewal request</div>
<div>- return new p12 file with new cert and this privkey to
user</div>
<div><br>
</div>
<div>It's even possible to do something like this? It makes
sense to recreate that file or user can use old p12 file even
after renewal?</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Pki-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Pki-users@redhat.com">Pki-users@redhat.com</a>
<a class="moz-txt-link-freetext" href="https://www.redhat.com/mailman/listinfo/pki-users">https://www.redhat.com/mailman/listinfo/pki-users</a></pre>
</blockquote>
<br>
</body>
</html>