The REKEY/ROLLOVER subcommands can be used to extend the expiration date of a certificate however that is not the intended use of these subcommands. The REKEY subcommand is intended to be used to generate a new public/private key pair for an existing certificate. There are other procedures that are recommended for renewing certificates that are about to expire.
Release: CA ACF2 16
Component: ACF2MS
Certificates that are expired or about to be expired can be renewed with a new expiration date. There are different procedures that can be followed to replace an expiring or expired digital certificate. To renew a certificate, either a new certificate with a new public/private key pair can be generated or the expiring certificate can be replaced/renewed with the same public/private key pair with a new expiration date.
There are different procedures that can be followed to replace an expiring or expired digital certificate depending on whether the certificate signed by a local CA (Certificate Authority) or third party CA (Certificate Authority). These procedures would replace the existing certificate with a new expiration date retaining the public/private key pair of the certificate. Two example procedures for renewing certificates are available in the following knowledge documents.
Article Id 26820: How can an expiring or expired user digital certificate signed by a third party CA (Certificate Authority) be renewed?
Article Id 26637: How can an expiring or expired user digital certificate signed by a local CA (Certificate Authority) be renewed?
Because the REKEY/ROLLOVER subcommands create a new certificate from an existing certificate with a new public/private key pair, sites should be cautious because of the following.
Details on ACF2 Digital Certificates ACF Subcommands including RENEW, REKEY and ROLLOVER can be found in the CA-ACF2 documentation in section "Process Digital Certificates with CA ACF2".