I have set up a small X.509 certificate authority for internal use in my network. Now I want to renew a certificate, and I want to know how should I do it.
Renewing the same private key when it's getting close to expiration is the exact same as renewing password that's getting close to expiration. If the password/key isn't compromised, then you're not doing anything wrong.
But "best practice" would tell us that one doesn't always know if a password/key has been quietly compromised, and thus it is best to follow expiration and replacement policies.
Typically best practice is to place the old cert on a CRL and generate a new one from scratch. I wouldn't re-use anything, just bad practice imho. In some instances you might be able to get away with reusing different bits, but I for one consider that a problem with the certificate trust model.
If you are talking about the root certificate, I make them last for a REALLY long time when setting up private CAs.
Do not duplicate neither the key pair nor the serial number.
If a certificate is revoked, then it is identified in the Certificate Revocation List (CRL) by its serial number. If you would like to be able to revoke the old one while keeping the new one, don't reuse the serial number.
