Managing Provisioned Certificates¶
Certificates provisioned through the platform are stored in the certificate inventory alongside any discovered certificates. This page covers how to view certificate details, download certificates in various formats, and revoke certificates when needed.
Certificate Orders¶
Navigate to CLM → Certificates → Orders to view a history of all certificate requests, including their current status and who initiated them.
The orders page shows:
| Column | Description |
|---|---|
| Common Name | The CN requested in the certificate |
| Order Type | The certificate provider used (Local PKI, ACME, External CA) |
| Status | Current status: pending, processing, complete, or failed |
| Requested By | The user, Courier, or ACME client that submitted the request |
| Duration | Time taken from submission to completion or failure |
Select any order to open its detail page. Completed orders link directly to the issued certificate. Failed orders display error details and the original request parameters to help with re-submission.
Certificate Inventory¶
Navigate to CLM → Certificates to view your certificate inventory. Each certificate displays:
- Common Name (CN) and Subject Alternative Names
- Issuer and certificate provider
- Validity period and days until expiry
- Status
- Source (
managedfor provisioned certificates,discoveredfor discovered certificates)
Use the source filter to view only managed certificates.
Certificate Detail¶
Select a certificate from the inventory to open its detail page. The detail page shows:
| Field | Description |
|---|---|
| Common Name | The primary domain name on the certificate. |
| Subject Alternative Names | Additional domain names covered by the certificate. |
| Issuer | The Certificate Authority that issued the certificate. |
| Algorithm | Key algorithm and size (for example, rsa-2048, ec-384). |
| Digest | The digest algorithm used for signing. |
| Valid From / Valid To | Validity period of the certificate. |
| Days Until Expiry | Calculated from the current date. |
| Status | Current certificate status (see below). |
| Source | managed — the certificate was provisioned through the platform. |
| Fingerprint (SHA-256) | Unique fingerprint of the certificate. |
Certificate Status Values¶
| Status | Meaning |
|---|---|
active |
Certificate is valid and within its validity period. |
expired |
Certificate validity period has passed. |
revoked |
Certificate has been revoked and should no longer be trusted. |
Downloading a Certificate¶
PEM Format¶
To download the certificate in PEM format:
- Open the certificate detail page.
- Select Download Certificate.
The certificate is downloaded as a .crt file in PEM format, containing the leaf certificate. This format is accepted by most web servers and services.
PFX / PKCS#12 Format¶
For certificates issued through the Built-In (Local PKI) provider, the platform can export the certificate and its private key as a password-protected PFX file.
- Open the certificate detail page.
- Select Download PFX.
- A dialog opens with a randomly generated password. Copy the password before proceeding — it is not stored and cannot be retrieved after the dialog is closed.
- Select Download to receive the
.pfxfile.
Note: PFX export is only available for certificates issued via the Local PKI pathway, where the private key was generated by the Back Control Plane. Certificates issued via CSR upload do not have a private key stored in the platform.
Revoking a Certificate¶
Revoking a certificate marks it as no longer trusted and records the revocation in the platform. Revocation does not automatically push a CRL or OCSP update — consult your CA's documentation for how revocation information is propagated.
To revoke a certificate:
- Open the certificate detail page.
- Select Revoke Certificate.
- A confirmation dialog appears with a randomly generated six-digit code.
- Enter the code in the input field and optionally provide a revocation reason.
- Select Confirm Revoke.
The certificate status is immediately updated to revoked. This action is recorded in the audit log.
Important: Revocation is permanent. A revoked certificate cannot be un-revoked through the platform.
Revocation Reasons¶
| Reason | Description |
|---|---|
keyCompromise |
The private key has been or is suspected to have been compromised. |
cACompromise |
The CA that issued this certificate has been compromised. |
affiliationChanged |
The subject's relationship to the issuing organisation has changed. |
superseded |
The certificate has been replaced by a new certificate. |
cessationOfOperation |
The subject no longer operates the service this certificate was issued for. |
unspecified |
No specific reason (use when none of the above apply). |
Audit Events¶
Actions on provisioned certificates are recorded in the audit log:
| Event | When |
|---|---|
certificate.request_automated.submitted |
Automated certificate request dispatched. |
certificate.request_csr.submitted |
CSR-based certificate request dispatched. |
certificate.view.accessed |
Certificate detail page opened. |
certificate.download.success |
PEM certificate downloaded. |
certificate.download_pfx.success |
PFX file downloaded. |
certificate.revoke.requested |
Revocation dialog opened. |
certificate.policy_hard_fail |
Request blocked by hard-fail policy. |
certificate.policy_soft_fail |
Request proceeded with soft-fail policy warning. |
Orders also generate alerts for failed generation attempts. Failed orders appear in CLM → Certificates → Alerts so they can be reviewed and actioned.
Next Steps¶
- Best Practices for Certificate Provisioning — guidance on domains, providers, and request hygiene.
- Certificate Renewal — Introduction — renew certificates before they expire.
- Certificate Revocation — Introduction — detailed revocation guidance.