Attribute certificates issued by the Certification Service are shown here. These can also be viewed within the Manage CA(s) service against the particular configured AA by clicking on the Attribute Certificates button. The Attribute Certificates navigation button within the ADSS Certification Service allows you to view all certificates generated through the service interface:



Each item in the screenshot is described below:


Items

Description

Certificate Alias

A unique identifier for the certificate (as provided by the client application within the request message).

Attribute Authority Name

The name (i.e. alias) of the Attribute Authority Name that issued the attribute certificate.

Client ID

This is the Client ID as found in the request message.

Attribute Profile

The attribute profile used to generate this attribute certificate.

Valid From

The “valid from” date of the attribute certificate (taken from the certificate itself).

Valid To

The “valid to” date of the attribute certificate (taken from the certificate itself). 

SCT

CT column is shown only when certificate transparency module is enabled in license. By clicking the view link SCT request/response viewer is shown.  

Status

Whether the attribute certificate is labelled as “active” or “revoked” or "NotYetValid" in the database.


You can select a certificate, and then either View or Revoke or Reinstate or Delete it. Clicking on the Revoke button will show the following screen where invalidity date, revocation code and hold instruction code can be provided before revoking the certificate:



A certificate revoked with the certificateHold instruction code can be activated later on by using the Activate button. Once the certificate is revoked or activated, an instant revocation entry will be made into the database instead of issuing an emergency CRL for each revocation. CRL publishing is costly if they are published too frequently. To decrease the cost of resources, the idea of instant revocation is introduced. It works for the locally configured AA(s) only. External systems that are polling for CRLs issued by ADSS Server's Managed CAs have to download the CRLs in order the get the latest revocation information.


The table below describes possible revocation reasons that can be selected.


Each item in the screenshot is described below:


Items

Description

unspecified

This reason indicates that the certificate is revoked for an unknown reason.

keyCompromise

This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.

cACompromise

This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.

affiliationChanged

This reason indicates that the subject's name or other information has changed.

superseded

This reason indicates that the certificate has been superseded, a new certificate is replacing an existing certificate.

sessationOfOperation

This reason indicates that the certificate is no longer needed.

certificateHold

This reason indicates that the certificate has been put on hold (Revoke temporarily). One of the following hold instructions should be provided:

  • id-holdinstruction-none
  • id-holdinstruction-callissuer
  • id-holdinstruction-reject

removeFromCRL

This reason indicates that the certificate was previously on hold and should be removed from the CRL.

privilageWithdrawn

This reason indicates that the privileges granted to the subject of the certificate have been withdrawn.

aACompromise

This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.


The list of issued certificates can be sorted in either Ascending or Descending order by selecting a table column from the drop down list.


Clicking on the Search button on the Certification Service >> Attribute Certificates main page will display the following screen:



This helps to locate a certificate that the Certification Service may have issued. Certificates can be searched based on  issuer, certificate alias, status, validity period or Client ID. If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.


See also

Configuring the Certification Service

Directory Integration

Identity Certificates

Attribute Certificates

Transaction Logs

Log Archiving

Alerts

Advanced Settings

Optimising ADSS Certification Server Performance