%20(500%20x%20162%20px)(1).png)
Certificate Lifecycle
Introduction
Lifecycle management, in the context of PKI, is the process by which entities and certificates are managed from creation, revocation, re-issuance and deletion. Simply stated, the life of an end entity or certificate should be managed from inception through archival or purging from your PKI infrastructure. These functions are easily performed in the administrative web interface or from the command line interface (CLI).
In this lesson we will manage an end entity through its lifecycle from the CLI.
Entity Issuance and Maintenance
During the lifecycle of an end entity or certificate there are several required tasks and other tasks which are specific to certain situations. For instance, when creating an end entity several steps must be employed and are required for the creation of the end entity. However, once an end entity is created, you are not required to verify it, create certificates for it, nor revoke or re-issue it. These tasks will be situation specific.
Creation of Entity and Certificates
Creating an end entity and its associated certificates is the main function of a certificate authority. An administrator must be aware that issuance of an end entity in no way attests to the identity of that end entity. The function of verifying an end entity's identity (whether an individual or a piece of equipment) should be performed prior to allowing issuance of the end entity or any associated certificates and is usually performed by some external function that is interfaced into the registration authority. For instance, when issuing an end entity to a user for authentication an administrator should take either physical or digital precautions to ensure the identity of that user prior to providing the user with an end entity and the associated certificates. This can be done in a myriad of ways depending on the requirements of your organization.
Verification
Once an end entity or certificate is issued, administrators can verify the information related to that end entity or certificate prior to delivering them to the end entity for use. While this is an optional step, it is recommended during initial testing and deployment to ensure proper configuration of end entity profiles and other operational functions, via a quick command line verification of the information being issued.
Certificate Lifecycle Events
Situation specific revocation, reissuance, revocation and unrevoking an end entity is performed by an administrator or an automated process as a reaction or proaction to an event. For instance, if an employee of an organization goes on an extended leave, the administrator can revoke the certificate with a status of On Hold essentially suspending the certificate which can then be un-revoked when the employee returns. Re-issuance and un-revoking are two entirely separate and distinct tasks. Reissuance is the process in which new keys and certificates are generated for a specific end entity. Unrevoke is used for one task only to restore a certificate that has been put in an On Hold status during revocation. Lastly, revocation is used to deactivate a certificate's usefulness, making it invalid for its intended or other uses. Revoking a certificate does not delete the certificate, it simply invalidates it.
Deletion of an End Entity
Deletion of an end entity sounds like a simple enough task of removing that entity from the PKI infrastructure, but this must be done with extreme care. In many situations the PKI infrastructure is being used for authentication, digital signing or other tasks that have legal implications. Maintaining the end entity and its associated audit trail of PKI activity is commonly desirable. It is better practice to use revocation to suspend or remove rights than to simply delete an end entity because you will retain the entity, its audit trail and other essential data that may be required for compliance or legal reasons.