Attribute Certificates
Attribute certificates issued by the Certification Service are shown here. These can also be
viewed within the Manage CA(s) service against the particular configured AA by
clicking on the Attribute Certificates button. The Attribute Certificates
navigation button within the ADSS Certification Service allows you to
view all certificates generated through the service interface:
Each item in the screenshot is described below:
| Item |
Description |
| Certificate Alias |
A unique identifier for the attribute certificate (as provided by the client application within the request message). |
| Attribute Authority Name |
The name (i.e. alias) of the Attribute Authority Name that issued the attribute certificate. |
| Client ID |
This is the Client ID as found in the request message. |
| Attribute Profile |
The attribute profile used to generate this attribute certificate. |
| Valid From |
The “valid from” date of the attribute certificate (taken from the certificate itself). |
| Valid To |
The “valid to” date of the attribute certificate (taken from the certificate itself). |
| Status |
Whether the attribute certificate is labeled as “active” or “revoked” or "NotYetValid" in the database. |
You can select a certificate, and then either View or Revoke or Reinstate or Delete it. Clicking on the Revoke button will show the following screen where invalidity date, revocation code and hold instruction code can be provided before revoking the certificate:
A certificate revoked with the certificateHold instruction code can be activated later on by using the Activate button. Once the certificate is revoked or activated, an instant revocation entry will be made into the database instead of issuing an emergency CRL for each revocation. CRL publishing is costly if they are published too frequently. To decrease the cost of resources, the idea of instant revocation is introduced. It works for the locally configured AA(s) only. External systems that are polling for CRLs issued by ADSS Server's Managed CAs have to download the CRLs in order the get the latest revocation information.
The table below describes possible revocation reasons that can be selected:
Each item in the screenshot is described below:
| Items |
Description |
| unspecified |
This reason indicates that the certificate is revoked for an unknown reason. |
| keyCompromise |
This reason indicates that it is known or suspected that the certificate subject's private key has been compromised. |
| cACompromise |
This reason indicates that it is known or suspected that the certificate subject's private key has been compromised. |
| affiliationChanged |
This reason indicates that the subject's name or other information has changed. |
| superseded |
This reason indicates that the certificate has been superseded, a new certificate is replacing an existing certificate. |
| sessationOfOperation |
This reason indicates that the certificate is no longer needed. |
| certificateHold |
This reason indicates that the
certificate has been put on hold (Revoke temporarily). One of the
following hold instructions should be provided:
|
| removeFromCRL |
This reason indicates that the certificate was previously on hold and should be removed from the CRL. |
| privilageWithdrawn |
This reason indicates that the privileges granted to the subject of the certificate have been withdrawn. |
| aACompromise |
This reason indicates that it is known or suspected that the certificate subject's private key has been compromised. |
The list of issued certificates can be sorted in either Ascending or Descending order by selecting a table column from the drop down list.
Clicking
on the Search button on the Certification Service >> Attribute
Certificates main page will display the following screen:
This helps to locate a certificate that the Certification Service may have issued. Certificates can be searched based on issuer, certificate alias, status, validity period or Client ID. If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.
If "_" character is used in the search then it will act as wildcard.
See also