Managing Certificates

Access Creating a Certificate to learn how to set up certificates first. This guide explains how to manage your certificates in the Trust portal.

After creating certificates for mTLS authentication, you'll need to manage them throughout their lifecycle. This includes viewing, renewing, and revoking certificates as needed.

Viewing your certificates

To view your existing certificates:

Navigate to API Configurations:
- Log in to the Trust portal.
- From the dashboard, locate the navigation menu.
- Click on Settings (gear icon) in the menu.
- Select API Configurations from the menu.
- Click on the Certificates tab.
Certificate List:
- All your certificates will be displayed with their status (Active/Revoked), expiration date, and distinguished name.
- You can filter certificates by status as needed.

Certificate Limit: Each tenant can have a maximum of three active certificates at any time, unless they are renewal certificates as described below.

Certificate lifecycle management

Checking certificate details

Click on a certificate name in the list to view its details:
- Issuance date and expiration date (certificates are valid for 365 days)
- Certificate fingerprint
- Usage statistics
You can download the certificate again if needed (private key will not be available for download again if Caf generated it).

Renewing a certificate

Certificates have a validity period of 365 days and should be renewed before they expire. You can only renew a certificate when it's within 120 days of its expiration date.

Locate the Certificate:
- Find the certificate you want to renew in your certificates list.
- Certificates eligible for renewal will display a renewal status indicator.
- Click the three-dot menu (⋮) next to the certificate.
Certificate List with Renewal Option
Renew the Certificate:
- Select "Renew certificate" from the dropdown menu.
- In the confirmation dialog, review the information about the renewal.
- Click "Renew" to confirm and create a new certificate based on the current one.
Renew Certificate Dialog
Download the New Certificate:
- When the renewal process completes, you'll see a success modal with a "Download certificate" button.
- Download your new certificate immediately.
- The new certificate will have a validity period of 365 days from the renewal date.
Certificate Renewed

Certificate Limit Exception: When you renew certificates, both the original and renewed certificates remain active. This creates an exception to the three-certificate limit, allowing you to have up to 6 certificates (3 original and 3 renewed). This grace period lets you smoothly transition your applications to the new certificates.

Update Your Applications:
- Implement the new certificate in your applications while keeping the old one active.
- Test thoroughly before fully switching to the new certificate.

Revoking a certificate

If a certificate is compromised or no longer needed, you should revoke it immediately:

Locate the Certificate:
- Find the certificate in your certificates list.
- Click the three-dot menu (⋮) next to the certificate.
Revoke the Certificate:
- Select "Revoke certificate" from the dropdown.
- In the confirmation dialog, provide a reason for revocation.
- Click "Revoke" to confirm.

Once a certificate is revoked, it cannot be reinstated. You'll need to create a new certificate if needed.

Best practices for certificate management

Maintain an inventory of all your certificates with their expiration dates.
Set up reminders for certificate renewals at least 30 days in advance.
Implement certificate rotation procedures in your applications to smoothly transition between certificates.
Limit access to certificate management to authorized personnel only.
Regularly audit certificate usage and revoke unused certificates.
Have a documented process for handling certificate compromise incidents.

Next steps

Once your certificates are properly managed, learn how to use them with mTLS to secure your API communications with Caf.

Last updated 24 days ago