What happens when certificate expire?

[rroques]

Hi all,

Looking at the documentation for key management and the expiry dates, can you please detail what the standard operational procedure would look like to renew certificates before they expire?

My understanding is that, before the delegation/targets keys expire 3 years after creation, they must be rotated. Rotating the keys will invalidate the old keys, making the previously signed data untrusted, and will involve having to re-sign all data with the new keys. Is that correct?

Many thanks.

[IAL32]

That is correct. Every content signed with the expired/old rotated keys must be resigned.