Renewing a SubCA Signed by an External CA
When you renew a SubCA signed by an external CA you create a new request that is sent to the external CA. The External CA issues a new certificate that you import in your SubCA.
You can renew the SubCA in two ways:
Using the same CA signing keys.
Generating new CA signing keys.
To renew a CA go to "Certificate Authorities" select the SubCA and use the button "Renew CA" in the bottom of the page. The CA's Crypto Token must be active to make a certificate signing request (and optionally for key generation).
When you generate new keys for the SubCA, the new keys will not be used until you upload a new CA certificate for this key pair. Until then, the CA will continue to work as if nothing has happened (and issue certificates with the current CA signing key pair).