Managing Target Systems¶
This page covers ongoing management of registered target systems, including editing configuration, managing certificate profiles, reviewing deployment orders, and removing systems from the platform.
Viewing Target Systems¶
All registered target systems are listed under Admin → Target Systems in the web portal. Each entry shows:
- Name and system type
- Assigned Bridge
- Last Deployment — the timestamp and outcome of the most recent deployment job
- Status — whether the target system is enabled and the last connection test result
Select a target system to view its full configuration, certificate profiles, and order history.
Editing a Target System¶
Target system configuration — including hostname, credentials, system-specific settings, and Bridge assignment — can be updated at any time.
- Navigate to Admin → Target Systems.
- Select the target system to edit.
- Update the relevant fields.
- Save changes.
Changes take effect on the next deployment job. In-flight jobs use the configuration that was active when they were dispatched.
Updating Credentials¶
When a service account password or SSH key is rotated, update the stored credential in the platform before the old credential is deactivated on the target system:
- Navigate to the target system detail page.
- Select Update Credentials.
- Enter the new password or SSH private key.
- Save.
- Run a Test Connection to confirm the updated credentials are working.
- Deactivate the old credential on the target system.
Important: Updating credentials in the platform does not change the credential on the target system. Both changes must be coordinated to avoid deployment failures.
Reassigning a Bridge¶
If the Bridge assigned to a target system needs to change — for example, because the Bridge is being decommissioned or the target system has moved to a different network segment — update the Bridge assignment:
- Navigate to the target system detail page.
- Select the new Bridge from the Bridge dropdown.
- Save.
- Run a Test Connection to confirm the new Bridge can reach the target system.
Ensure the newly assigned Bridge has network access to the target system before saving the change.
Testing the Connection¶
A connection test can be run at any time to verify the Bridge can reach the target system and authenticate successfully:
- Navigate to Admin → Target Systems.
- Select the target system.
- Select Test Connection.
The test dispatches a connectivity job to the assigned Bridge. Results are displayed in the portal. No certificate is installed during a connection test.
Certificate Profiles¶
Certificate profiles are managed from the Certificates tab on the target system detail page.
Viewing Certificate Profiles¶
- Navigate to Admin → Target Systems.
- Select the target system.
- Open the Certificates tab.
The tab lists all profiles configured for the target system, showing the profile name, Common Name, key algorithm, validity period, last deployment date, and a warning indicator for any soft-fail policy violations recorded at last save.
Adding a Certificate Profile¶
- Navigate to Admin → Target Systems.
- Select the target system.
- Open the Certificates tab.
- Select Add Certificate Profile.
- Configure the profile fields:
Certificate Attributes
| Field | Description |
|---|---|
| Name | A descriptive label for this profile (for example, HTTPS — prod-web-01 or SMTP — exchange-au) |
| Description | Optional notes on the profile's purpose |
| Common Name (CN) | The primary domain name for the certificate |
| Subject Alternative Names (SANs) | Additional domain names to include |
| Organisation / OU / Country / State / Locality | Distinguished Name fields — leave blank if not required by your CA |
| Algorithm | Key algorithm — default is RSA 2048 |
| Digest | Signature hash — default is SHA-256 |
| Validity (days) | Certificate lifetime in days — default is 365 |
| Key Usage | X.509 Key Usage extensions |
| Extended Key Usage | X.509 EKU extensions |
| Issuing CA | The intermediate CA to use for issuance, if applicable |
Renewal Settings
| Field | Description |
|---|---|
| Renewal Threshold (%) | The percentage of the certificate's validity period that must elapse before an automatic renewal order is created. Default is 70%. For example, a 365-day certificate at 70% triggers renewal at day 256. |
Deployment Configuration
Each profile can override the default file paths and reload command configured on the target system. This allows multiple profiles on the same server to deploy certificates to different locations.
| Field | Description |
|---|---|
| Certificate Path | Full path to write the certificate file on the target system. If left blank, the target system default is used. |
| Key Path | Full path to write the private key file on the target system. If left blank, the target system default is used. |
| Reload Command | Command the Bridge runs to reload or restart the service after deployment. If left blank, the target system default is used. |
- Save the profile.
Note: Fields governed by a tenant certificate policy — such as algorithm, digest, maximum validity, or required key usage — are auto-populated and locked. These values cannot be overridden. A hard-fail policy violation prevents the profile from being saved; a soft-fail violation generates a warning that is stored against the profile and displayed on the Certificates tab.
Deploying a Certificate Profile¶
A deployment can be triggered manually at any time from a certificate profile:
- Navigate to Admin → Target Systems.
- Select the target system.
- Open the Certificates tab and select the profile.
- Select Deploy.
The platform creates a Deployment Order and queues it for the assigned Bridge. The order is visible in the Orders view. The first deployment to a profile creates a Provisioning order; subsequent deployments create Renewal orders.
Note: A deployment cannot be triggered if the target system has no Bridge assigned, or if a Pending or Processing order already exists for that profile.
Editing a Certificate Profile¶
- Navigate to Admin → Target Systems.
- Select the target system.
- Open the Certificates tab.
- Select the profile to edit.
- Update the relevant fields and save.
Policy validation runs again on save. Any change to the Common Name re-evaluates which policies apply and updates any enforced field values.
Deleting a Certificate Profile¶
- Navigate to Admin → Target Systems.
- Select the target system.
- Open the Certificates tab.
- Select the profile to delete.
- Select Delete and confirm.
Deleting a profile does not affect any certificates already installed on the system. It removes the profile definition and stops future automated renewal for that profile.
Deployment Orders¶
The Orders view, accessible from Admin → Target Systems → Orders, lists all deployment orders across all target systems in the tenant.
What an Order Shows¶
Each order records:
- Order type — Provisioning (first-time deployment) or Renewal
- Status — current state of the order
- Target system and certificate profile — which system and profile the order applies to
- Common Name — the certificate CN requested
- Trigger source — what created the order (manual or renewal threshold)
- Timestamps — when the order was created, when the Bridge picked it up, and when it completed
- Error details — for failed orders, the reason reported by the Bridge
Filtering and Searching Orders¶
The Orders view can be filtered by status and order type, and searched by Common Name, order UUID, or target system name.
Order Lifecycle¶
| Status | Description |
|---|---|
| Pending | Order is queued and waiting for the Bridge to retrieve it |
| Processing | Bridge has claimed the order and is executing the deployment |
| Complete | Deployment succeeded |
| Failed | Deployment failed — review the error details to diagnose the issue |
| Cancelled | Order was cancelled manually, or was automatically cancelled after remaining in Pending or Processing status for more than one hour |
Stale Order Cancellation¶
Orders that remain in Pending or Processing status for more than one hour are automatically cancelled. This typically indicates the Bridge is offline or unreachable. Once the Bridge is back online, trigger a new deployment manually or wait for the next automated renewal check to create a fresh order.
Deployment History¶
The Deployment History tab on the target system detail page shows a low-level record of each deployment attempt executed by the Bridge, including connection tests. It complements the Orders view by providing granular execution detail for individual operations.
- Navigate to Admin → Target Systems.
- Select the target system.
- Open the Deployment History tab.
Each entry shows the operation timestamp, trigger source, and outcome. Failed operations include an error description.
Enabling and Disabling a Target System¶
A target system can be temporarily disabled to prevent new deployment jobs from being dispatched to it — for example, during a maintenance window or while credentials are being rotated.
- Navigate to the target system detail page.
- Select Disable.
While disabled, no new deployment orders are created for the system, and no pending orders are dispatched. Existing in-flight orders continue to completion. Re-enable the system by selecting Enable when ready.
Deleting a Target System¶
Deleting a target system removes it from the platform. This does not affect any certificates already installed on the system.
- Navigate to Admin → Target Systems.
- Select the target system to delete.
- Select Delete and confirm.
Ensure no active certificate deployment workflows reference the target system before deleting it. Certificates linked to a deleted target system will no longer have an automated deployment path.