3.1.1.4.3.2 Renew Certificate Requests

When sending a certificate renewal request, clients MUST use the CMS structure with an embedded PKCS #10 certificate request, as specified in [RFC3852] and [RFC2986], or the CMS structure with an embedded CMC request format, as specified in [RFC3852] and [RFC2797]. The client MUST follow the requirements specified in the following sections.

The renewal request MUST be done either by using an existing public-private key pair associated with the certificate being renewed or by creating a new public-private key pair. See the following sections for details about how those key pairs are used to form a request.