Certificates issued by the Certification Service are shown here and certificates issued through Key Manager or Manual Certification (sub module of Manage CAs) are shown in the Manage CAs module. Those can be viewed within the Manage CA(s) service against the particular CA by clicking on the Issued Certificates button. If an end user certificate got renewed then it's old certificate will be marked revoked and a new certificate will be generated, in order to check the latest and revoked certificates for a particular end user, just expand the certificate by clicking on '+' button then all the old revoked certificates will be shown as child.

The Issued Certificates navigation button within the ADSS Certification Service allows you to view all certificates generated through the service interface:



Each item in the screenshot is described below:

Items

Description

Certificate Alias

A unique identifier for the certificate (as provided by the client application within the request message).

CA Name

The name (i.e. alias) of the CA that is issued the certificate.

Client ID

This is the Client ID as found in the request message.

Certificate Profile

The certification profile used to generate this certificate.

Crypto Source

Shows that this certificate is stored on software or hardware device.

Valid From

The “valid from” date of the certificate (taken from the certificate itself).

Valid To

The “valid to” date of the certificate (taken from the certificate itself)

SCT

CT column is shown only when certificate transparency module is enabled in license. By clicking the view link SCT request/response viewer is shown.  

Status

Whether the certificate is labeled as “active”, “inactive” or “revoked” in the database. Note “inactive”and "revoked" certificates cannot be used for signing purpose, i.e. the ADSS Signing Service will not allow a revoked/inactive certificate to be used by a business application or user to sign a document.


If an issued certificate is required to be deleted and the same certificate alias is required to be used for the new certificate then operator need to restart the ADSS Core, Console and Service instances from Windows NT Services panel or UNIX daemon.


By clicking the view link SCT request/response viewer is shown:



In case when SCT is not received from the Log Server then SCT Request/Response Viewer looks like:

You can select a certificate, and then either View or Revoke or Delete it. By clicking on View and Certificate Alias, the issued certificate is shown like this:



Clicking on the Revoke button will show the following screen where invalidity date, revocation code and hold instruction code can be provided before revoking the certificate:

A certificate revoked with the certificateHold instruction code can be activated later on by using the Reinstate button. Once the certificate is revoked or activated, an instant revocation entry will be made into the database instead of issuing an emergency CRL for each revocation. CRL publishing is costly if they are published too frequently. To decrease the cost of resources, the idea of instant revocation is introduced. It works for the  locally configured CA(s) only.  External systems that are polling for CRLs issued by ADSS Server's Managed CAs have to download the CRLs in order the get the latest revocation information.

The table below describes possible revocation reasons that can be selected:

Items

Description

unspecified

This reason indicates that the certificate is revoked for an unknown reason.

keyCompromise

This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.

cACompromise

This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.

affiliationChanged

This reason indicates that the subject's name or other information has changed.

superseded

This reason indicates that the certificate has been superseded, a new certificate is replacing an existing certificate.

sessationOfOperation

This reason indicates that the certificate is no longer needed.

certificateHold

This reason indicates that the certificate has been put on hold (Revoke temporarily). One of the following hold instructions should be provided:

  • id-holdinstruction-none
  • id-holdinstruction-callissuer
  • id-holdinstruction-reject

removeFromCRL

This reason indicates that the certificate was previously on hold and should be removed from the CRL.

privilageWithdrawn

This reason indicates that the privileges granted to the subject of the certificate have been withdrawn.

aACompromise

This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.


The list of issued certificates can be sorted in either Ascending or Descending order by selecting a table column from the drop down list. 


Clicking on the Search button on the Certification Service >> Issued Certificates main page will display the following screen: 


This helps to locate a certificate that the Certification Service may have issued. Certificates can be searched based on  issuer, certificate alias, status, validity period or client ID.  If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.

​If "_" character is used in the search then it will act as wildcard.


See also

Pending Certificates