Managing Certificates¶
This page covers the day-to-day management of root and intermediate CA certificates on the Zaita platform — viewing certificate details, downloading certificates and private keys, removing private keys from the platform, and deleting certificates.
All management actions require the PKI Administrator or Super Administrator role. Every action is recorded in the platform's audit log.
Viewing Certificate Details¶
Navigate to Local PKI → Root Certificates or Local PKI → Intermediate Certificates to see a list of all certificates in your account, along with their status and current usage count.
Select a certificate to open the detail page, which shows:
- Common Name, Organisation, and other subject fields
- Algorithm and key size
- Validity period (Not Before / Not After)
- Current status and compliance status (root certificates only)
- For intermediate certificates: the signing root CA
Certificate Status¶
Root Certificate Status¶
| Status | Meaning |
|---|---|
active |
Valid and operational. The certificate can sign intermediates. |
revoked |
Manually revoked. No longer trusted. |
expired |
The certificate has passed its validity end date. |
invalid |
The certificate failed validation checks. |
unusable |
The certificate cannot be used — for example, key material is unavailable. |
Intermediate Certificate Status¶
| Status | Meaning |
|---|---|
active |
Valid and operational. The certificate can issue leaf certificates. |
revoked |
Manually revoked. No longer trusted. |
expired |
The certificate has passed its validity end date. |
invalid |
The certificate failed validation checks. |
unusable |
The certificate cannot be used — for example, key material is unavailable. |
Root CA Compliance Status¶
In addition to the operational status above, root certificates have a separate compliance status — either compliant or non_compliant. A root CA reaches compliant status when all three conditions are met:
- The root certificate has been downloaded.
- The root CA's private key has been removed from the platform.
- At least one active intermediate certificate has been issued under this root.
These conditions reflect the PKI best practice of taking root keys offline once the intermediate issuing infrastructure is in place.
Downloading a Certificate¶
Download the PEM-encoded certificate for trust store distribution or offline archiving.
- Open the certificate detail page.
- Select Download Certificate.
- The PEM file is downloaded to your browser.
The download is recorded in the audit log as root_certificate.download_success or intermediate_certificate.download_success.
Distribute root CA certificates to the trust stores of all systems, devices, and applications that need to trust your PKI. See Step 6 of Setting Up Your PKI for platform-specific instructions.
Downloading a Private Key¶
The CA private key can be exported from the back control plane. This is used to take root CA keys offline after intermediate certificates have been issued, or for disaster recovery purposes.
- Open the certificate detail page.
- Select Download Private Key.
- Store the downloaded key in a secure, offline location — such as a physical HSM, encrypted offline storage, or an air-gapped system.
Security note: Export root CA private keys only when you intend to store them offline immediately. Verify the exported key is accessible and intact before deleting it from the platform.
The download is recorded in the audit log as root_certificate.private_key_download_success or intermediate_certificate.private_key_download_success. Unauthorised download attempts are logged separately.
Deleting a Private Key¶
Permanently removes the CA private key from the back control plane. This is the recommended action for root CA private keys once they have been safely stored offline, as it eliminates the possibility of the root key being used from within the platform.
- Open the certificate detail page.
- Select Delete Private Key.
- Confirm the deletion by checking the confirmation box and selecting Delete.
Important: Deletion is permanent and cannot be undone. The back control plane does not retain any copy after deletion. Ensure you have a verified offline backup before proceeding.
The deletion is recorded in the audit log as root_certificate.private_key_delete_success.
Deleting a Certificate¶
Permanently removes the certificate record from the platform, including all associated data.
- Open the certificate detail page.
- Select Delete Certificate.
- Confirm the deletion.
Deletion constraints:
- A root certificate can only be deleted if it has no intermediate certificates. All intermediate certificates issued under the root must be deleted first.
- Both root and intermediate certificate deletions are permanent.
The deletion is recorded in the audit log as root_certificate.delete_success or intermediate_certificate.delete_success.
Tenant CA Limits¶
The number of root and intermediate CAs available depends on your account subscription tier:
| Tier | Root CAs | Intermediate CAs |
|---|---|---|
| Free | 1 | 2 |
| Coffee | 1 | 2 |
| Small Business | 3 | 10 |
| Medium Business | 5 | 20 |
| Enterprise | Unlimited | Unlimited |
Current usage is shown on the Root Certificates and Intermediate Certificates index pages. The indicator is colour-coded: - Green — below 80% capacity. - Amber — between 80% and 99% capacity. - Red — at or above the limit.
To increase your limits, upgrade your subscription tier.
Next Steps¶
- PKI Best Practices — guidance on key custody, hierarchy design, and ongoing operational hygiene.
- Overview — Security — how the platform protects private key material and audit logging.