Certificates issued by the Certification Service are shown here and certificates issued through Key Manager or Manual Certification (sub module of Manage CAs) are shown in the Manage CAs module. Those can be viewed within the Manage CA(s) service against the particular CA by clicking on the Issued Certificates button. If an end user certificate got renewed then it's old certificate will be marked revoked and a new certificate will be generated, in order to check the latest and revoked certificates for a particular end user, just expand the certificate by clicking on '+' button then all the old revoked certificates will be shown as child.

The Issued Certificates navigation button within the ADSS Certification Service allows you to view all certificates generated through the service interface:



Each item in the screenshot is described below:


Items

Description

Certificate Alias

A unique identifier for the certificate (as provided by the client application within the request message).

CA Name

The name (i.e. alias) of the CA that is issued the certificate.

Client ID

This is the Client ID as found in the request message.

Certificate Profile

The certification profile used to generate this certificate.

Crypto Source

Shows that this certificate is stored on software or hardware device.

Valid From

The “valid from” date of the certificate (taken from the certificate itself).

Valid To

The “valid to” date of the certificate (taken from the certificate itself). 

SCT

SCT column is shown only when certificate transparency module is enabled in license. By clicking the view link SCT request/response viewer is shown.  

Status

Whether the certificate is labelled as “active”, “inactive” or “revoked” in the database. Note “inactive”and "revoked" certificates cannot be used for signing purpose, i.e. the ADSS Signing Service will not allow a revoked/inactive certificate to be used by a business application or user to sign a document.


If an issued certificate is required to be deleted and the same certificate alias is required to be used for the new certificate then user need to restart the ADSS Core, Console and Service instances from Windows NT Services panel or UNIX daemon.



Retrieve Certificate 

If a certificate request is pending approval from the Microsoft ADCS operator, the certificate status is saved as 'SUBMITTED' in the database and displayed as 'Under Submission' in the Status column on the screen. The MS ADCS operator can either approve or deny the request.

The Retrieve Certificate button becomes available by clicking the three dots at the end of the row. If the user clicks this button while the request is still pending, a message will indicate that the certificate request is awaiting approval from the MS ADCS operator. Once the operator approves the request, the user can click the Retrieve Certificate button again. A success message will be displayed, and the certificate status will change to 'Active'.  



You can select a certificate, and then either View or Revoke or Delete it. By clicking on View and Certificate Alias, the issued certificate is shown like this:




Clicking on the Details Tab displays the following screen:

 



Here the user can view all the configurational details related to the selected certificate. Clicking on the Certification Path displays the following screen: 



Here the user can view the certificate path as well as certificate status (active or revoked).


Clicking on the three dots at the end of the row will show the option to Revoke the certificate. Clicking on the Revoke button will show the following screen where invalidity date, revocation code and hold instruction code can be provided before revoking the certificate:



A certificate revoked with the certificateHold instruction code can be activated later on by using the Reinstate button. Once the certificate is revoked or activated, an instant revocation entry will be made into the database instead of issuing an emergency CRL for each revocation. CRL publishing is costly if they are published too frequently. To decrease the cost of resources, the idea of instant revocation is introduced. It works for the  locally configured CA(s) only. External systems that are polling for CRLs issued by ADSS Server's Managed CAs have to download the CRLs in order the get the latest revocation information.


If a TLS Server or EV-TLS Server certificate is revoked using a non-keyCompromise reason code, the user will be able to update the certificate again by clicking on the Revoke button. However, it should be noted that an already revoked certificate can only be updated with a keyCompromise reason code.


The above mentioned functionality will only work if CA/B Forum is enabled in Global Setting > Advanced Settings


Clicking on the Revoke button for TLS Server or EV-TLS Server revoked certificate displays the following screen:



The table below describes possible revocation reasons that can be selected:


Items

Description

unspecified

This reason indicates that the certificate is revoked for an unknown reason.

keyCompromise

This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.

cACompromise

This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.

affiliationChanged

This reason indicates that the subject's name or other information has changed.

superseded

This reason indicates that the certificate has been superseded, a new certificate is replacing an existing certificate.

cessationOfOperation

This reason indicates that the certificate is no longer needed.

certificateHold

This reason indicates that the certificate has been put on hold (Revoke temporarily). One of the following hold instructions should be provided:

  • id-holdinstruction-none
  • id-holdinstruction-callissuer
  • id-holdinstruction-reject

removeFromCRL

This reason indicates that the certificate was previously on hold and should be removed from the CRL.

privilegeWithdrawn

This reason indicates that the privileges granted to the subject of the certificate have been withdrawn.

aACompromise

This reason indicates that it is known or suspected that the certificate subject's private key has been compromised.


The list of issued certificates can be sorted in either Ascending or Descending order by selecting a table column from the drop down list. 

While revoking a TLS Server or EV-TLS Server certificate from the ADSS Server, only the following reasons codes will be available to the user in the Reason Code drop-down:

  • unspecified
  • keyCompromise
  • affiliationChanged
  • superseded
  • cessationOfOperation
  • privilegeWithdrawn 

Note: 

  1. The above mentioned functionality will only work if CA/B Forum is enabled in Global Setting > Advanced Settings.
  2. If a certificate is issued using an External CA, then, the privilegeWithdrawn reason code will not be available in the drop-down.


Clicking on the Advance Search button will display the following screen:




This helps to locate a certificate that the Certification Service may have issued. Certificates can be searched based on  issuer, certificate alias, status, validity period or client ID. If a search is based on multiple values, then these will be combined together using the “AND” operand, and thus only records that meet all the criteria will be presented.

See also

Issued Certificates

Pending Certificates