Certificates

For a guide on how to request a certificate visit Issue your first certificate.

1. View Certificates

Available certificates for a realm can be viewed and searched for in the Certificates page. An advanced search and filtering mechanism provides a wide range of ways to find a specific certificate. An option to export selected rows as Comma Separated Values (CSV) is available via the Actions → Export selected as CSV. There is also a filter that an admin can use to view only the archived certificates. This filter can be triggered by pressing the Show Archived button in the Actions dropdown list.

2. Import Certificates

External certificates can be imported in the Certificates / Show tab by clicking the Import button. After selecting a valid policy that will be used for the certificates, the user can then select the file that contains the PEM-encoded certificates to be imported. Once the PEM file is selected, the total number of certificates that will be imported is displayed and the user can then complete or cancel the import.

3. Archive Certificates

A user can archive or unarchive a certificate by entering the Certificate/Show tab. There, by pressing the certificate’s name, the user will be redirected to the certificate details page. By pressing the Archive or the Unarchive button the certificate will be archived or unarchived accordingly. Batch Archive and Batch Undo-Archive actions are also supported by selecting the checkboxes of the desired certificates and choosing the Archive All Selected and Undo-Archive All Selected buttons in the Actions dropdown. Upon certificate archive/unarchive, its associated certificate request will also be archived/unarchived respectively. Active certificates can not be archived. Archived certificates that are linked to an archived policy, end entity or realm can not be unarchived. Archived certificates can not be used for new operations.

4. Delete Certificates

A user can delete an archived certificate through the Certificate page, the Show Certificates Table or the Administration/Archived Data Removal tab. In the Certificate page after archiving the entity a Delete button will appear. In the Show Certificates Table by pressing Actions→Show Archived the table will show the archived entities, and here the certificates can be selected, and through Actions→Delete all selected they can be deleted. Furthermore, the user can delete one Certificate at a time by pressing the row actions button and then Delete Certificate. Finally, in the Choose entity to delete dropdown choose Certificates. As an extra safeguard there is the option to restrict the archived records that are going to be deleted by the date on which they were archived. In the Choose date calendar select the date, before which the records should have been archived, in order to be deleted with this action and press Delete. Upon deletion, the certificate requests linked to the deleted certificates will also be deleted.

5. Download Certificate

A certificate can be downloaded either in single mode or in chain mode, where the complete certificate chain is downloaded in PEM format.

6. Download private key of a Certificate

The private key of a certificate can be retrieved in PEM format.

7. Download CRL

The latest certificate revocation list (CRL) of the issuing CA, can be downloaded from the certificate details page via the Download button. The CRL is not retrieved directly from the CA, rather the CRL distribution points of the certificate are used instead and access to these points is required, in order for the CRL to be downloaded successfully.

8. E-Mail Certificate

A certificate can be sent to the end entity’s E-Mail.

The E-Mail will be sent successfully only if the E-mail address of the end entity, whom the certificate belongs to, is available.

9. OCSP Status Check

In the certificate details page, an Ocsp Status field presents the current OCSP (Online Certificate Status Protocol) status of the certificate as provided by the OSCP Responder configured within the certificate itself.

In order for the OCSP check to work, a network access to the OCSP Responder is required. If a network error hinders the request, the depicted status is shown as Unavailable.

10. Revoke Certificate

A certificate can be revoked by providing a revocation reason.

If the certificate is revoked from outside the MTG Certificate Lifecycle Manager Server UI, for example via the Admin Frontend of MTG CARA, the revocation will not become visible in the MTG Certificate Lifecycle Manager Server UI. To avoid this, use only the MTG Certificate Lifecycle Manager Server UI to revoke certificates that are managed by the MTG Certificate Lifecycle Manager Server.

11. Mark Certificate As Revoked

One or more certificate(s) can be marked as revoked. These certificate(s) are not actually going to be revoked, they are just going to be marked as such.

As a result of this action, the status of the above certificate(s) might not represent the real status of the actual certificate(s). This functionality allows the user to manually synchronize MTG Certificate Lifecycle Manager Server when actions have occurred outside the MTG Certificate Lifecycle Manager Server UI, for example via the Admin Frontend of MTG CARA.