|
For the latest version, please use Certificate Lifecycle Manager 6.5.0! |
Certificates
| For a guide on how to issue a certificate visit Issue your first certificate. |
Digital certificates are the foundation of secure communications and identity verification in modern IT infrastructures. They establish trust between systems, secure data transmission, and verify the authenticity of digital entities. Effective certificate management is essential for maintaining your organization’s security posture and ensuring uninterrupted service availability.
Certificate management within MTG CLM helps you control the entire certificate lifecycle, from issuance through renewal and eventual retirement, preventing costly outages and security vulnerabilities stemming from expired or compromised certificates.
Certificate Inventory Management
Complete and accurate certificate inventory is the foundation of effective certificate management. MTG CLM provides comprehensive visibility into your certificate environment.
Viewing Certificates
The Certificates menu displays all certificates in your environment, allowing you to quickly assess your certificate inventory. You can:
-
View certificates across all realms or filter by specific realm.
-
Sort certificates by various attributes including expiration date.
-
Identify certificates requiring attention through status indicators.
Searching Certificates
The search functionality helps you locate specific certificates based on various criteria:
-
Search by subject, issuer, serial number, or other certificate attributes.
-
Filter by status (active, expired, revoked).
-
Identify certificates with specific cryptographic properties.
Importing External Certificates
Organizations often have existing certificates that need to be brought under management. The import function allows you to:
-
Add externally-issued certificates to your inventory.
-
Associate imported certificates with appropriate end entities.
-
Begin monitoring and managing these certificates alongside those issued through MTG CLM.
| To maintain proper ownership relationships and enable effective lifecycle management, ensure certificates are associated with the correct end entity before importing them. |
Certificate Operations
Once certificates are in your inventory, MTG CLM provides several operations to manage them throughout their lifecycle.
Certificate Details
Viewing certificate details provides comprehensive information about a specific certificate:
-
Certificate metadata (subject, issuer, validity period)
-
Cryptographic details (algorithm, key size)
-
Current status and lifecycle information
-
Associated end entity and realm
Certificate Download Options
MTG CLM offers multiple download options to support various use cases:
- Download Single
-
Downloads just the certificate in PEM format, suitable for most server configurations.
- Download Chain
-
Downloads the complete certificate chain including the issuing CA certificates, necessary for proper certificate validation.
- Download CRL
-
Downloads the Certificate Revocation List. A CRL is an up-to-date list of certificates which should no longer be trusted. It can be useful for offline validation or for configuring other systems that need to verify certificate status.
| Private keys should be handled securely. Once downloaded, they should be transmitted to the target system and then deleted from any intermediate storage. |
Certificate Distribution
Certificates often need to be distributed to system administrators or end users for installation:
- Email Certificate
-
Sends the certificate via email to the specified recipient, facilitating distribution to the appropriate personnel.
| For this functionality you need to have a valid e-mail address attached to the certificate’s connected end entity. |
Certificate Renewal
Certificate renewal creates a new certificate with a renewed validity period. It preserves the original certificate’s policy and end entity association. The renewal process reuses the certificate creation workflow, allowing you to update certificate parameters while preserving policy enforcement and approval workflows.
Renewal Workflow
When you initiate renewal for an existing certificate:
-
Policy and End Entity Preserved: The renewal process automatically selects the original certificate’s policy and end entity.
-
Certificate Source Selection: Choose how to generate the renewed certificate:
-
From PKCS#10 Request: Upload a certificate signing request
-
Server-Side Generation: Generate the key pair on the server
-
-
Certificate Parameters: Configure certificate parameters including:
-
Public Key Algorithm
-
RSA Key Size
-
-
Approval Process: The renewal follows the approval workflow defined in the associated policy. If the policy requires manual approval or dual control, renewal requests undergo the same approval process as new certificate issuance.
Original Certificate Behavior
After renewal completes:
-
The original certificate remains valid until its expiration date.
-
The original certificate is not automatically revoked.
-
Both the original and renewed certificates appear in the end entity’s certificate list.
-
MTG CLM treats both the original and renewed certificates identically.
Users must manually track which certificate is current by comparing expiration dates. To maintain a clean certificate inventory, consider revoking the original certificate after successful deployment of the renewed certificate.
Certificate Status Management
Maintaining awareness of certificate status is essential for security and compliance.
OCSP Status Check
The Online Certificate Status Protocol (OCSP) provides real-time certificate validation:
-
Verification of the current revocation status of a certificate.
-
Confirmation that revocation actions have been properly processed.
-
Validation of the operational status of your OCSP infrastructure.
For the OCSP check to work, a network access to the OCSP Responder is required.
If a network error hinders the request, the depicted status is shown as Unavailable.
|