The CA will allow routine re-keying before expiration of the subscribers current certificate. The re-key request must be accompanied by a request based on a new key pair. Recertification of the existing public key is not allowed.
Re-key authentication may be be the procedure detailed in section 3.1.9, or by signing the re-key request with a current, valid private key, provided that the last identification according to 3.1.9 is not longer ago than 5 years. In case the request is signed by the subscribers existing cert, the CA shall assign a RA to re-validate the subscriber data, the subscriber affiliation, and the right of the subscriber to a certificate.