For AVX Native Initialization

  1. Go to (Menu) > PKI+ > Settings.
    The Settings page appears.
  2. Enter the fields as described in the table.
    Table 1. Field Description for General Settings section
    Field Description
    Custodian Admins Select two custodian administrators.
    Note:
    • Only the default administrators can add custodian administrators.
    • If custodian administrators are configured, only they have the authority to add or remove custodians. However, custodian administrators cannot be designated as custodians themselves.
    • SSO users cannot be custodian administrators.
    Select Certificate Authorities Select from the dropdown list.

    Certificates issued by selected authorities will be maintained in the Managed status in the CA inventory while certificates from unselected authorities will be maintained in the Monitored status in the CA inventory.
    *: Mandatory fields
  3. Click Save.
    A message, Details saved successfully, appears.
  4. Upload the CPS document.
    Table 2. Fields for CPS Upload section
    Field Description
    *Upload CPS A CPS (Certification Practice Statement) is a comprehensive document that defines the practices, procedures, and responsibilities of a Certificate Authority (CA) in issuing and managing digital certificates. It offers transparency into the CA's operations, detailing how certificates are requested, validated, issued, renewed, revoked, and how the CA ensures the security and integrity of these processes.

    The CPS is a critical element in PKI that establishes the trust framework governing the CA's activities. It is especially important for auditors, relying parties (those who verify certificates), and relying organizations to understand the CA’s operational procedures, security safeguards, and risk management strategies.

    CP and CPS are configurable under templates as per the customer policies. Customers can also upload their CPS document (.pdf) to PKIaaS for hosting. In this case, the CPS URL will be auto generated while template configuration. The certificate policy link present in the template will be part of the issued certificate's policy extension.
    Note: If you are using AppViewX to host, then by default the URI is generated for the template that is reflected in the certificate, so the default URI has to be retained as is. If any changes are made, then those changes will be reflected in the certificate and the CPS will not be hosted.
    *: Mandatory fields
  5. Click Upload.
    A message, CPS document uploaded, appears.
  6. Enter the following information in the Alerts section:
    • AppViewX Native CA Certificate Expiry
    • AppViewX Native OCSP Responder Health
    • AppViewX Native OCSP Responder Certificate/Signing Key
    • AppViewX Native CRL Availability
    • AppViewX Native CRL Certificate and Validity.
  7. Click Save.

AppViewX Native CA Certificate Expiry

Use this section to configure certificate expiry alerts for AppViewX Native PKI. Set alert thresholds, choose notification methods (email or in-app), and specify recipients to ensure timely certificate renewal and prevent PKI service disruptions.
  1. Enable/Disable the CA Certificate Expiry alerts.
    Table 3. Fields to configure AppViewX Native CA Certificate Expiry section
    Field Description
    CA Certificate Expiry By default, this check box is not selected. Select the check box to display the following fields:
    Field Description
    *Alert when expiring within Triggers an alert when the item is within the specified number of days before its expiration date.
    Preferred Communication Method Select from the following options by which you would like to be notified about the impending alert:
    • Via Email (default)
    • In-App Communication
    • Both
    Recipient Category When the configured threshold is reached, the system sends an alert to the selected recipients. Choose one of the following recipient types:
    • User (default)
    • User Group
    • Email/Distro
    After you select a recipient type, a text field appears where you can specify the corresponding recipients, such as users, user groups, or email/distribution addresses.
    *: Mandatory fields
  2. Click Save.
    A message, Alert settings saved successfully, appears.
    Note:
    • You can disable the alert by simply unselecting the CA Certificate Expiry check box.
    • Whatever updates are made to alerts on the Settings page will be updated automatically for the AppViewX Native CA Alerts in the Notification Center. If you make any updates to the AppViewX Native CA Alerts in the Notification Center, then the same will be reflected in the Alerts section of the Settings page.

AppViewX Native OCSP Responder Health

Configure alerts to monitor OCSP responder availability and signing certificate status. Select alert conditions, notification methods (email or in-app), and recipients to receive timely notifications when the responder becomes unavailable or certificate issues occur.
  1. Enable/Disable the OCSP Responder Unavailable alerts.
    Table 4. Fields to configure AppViewX Native OCSP Health Responder section
    Field Description
    OCSP Responder Unavailable By default, this check box is not selected. Select the check box to display the following fields:
    Field Description
    Preferred Communication Method Select from the following options by which you would like to be notified about the impending alert:
    • Via Email (default)
    • In-App Communication
    • Both
    Recipient Category When the configured threshold is reached, the system sends an alert to the selected recipients. Choose one of the following recipient types:
    • User (default)
    • User Group
    • Email/Distro
    After you select a recipient type, a text field appears where you can specify the corresponding recipients, such as users, user groups, or email/distribution addresses.
    *: Mandatory fields
  2. Click Save.
    A message, Alert settings saved successfully, appears.
    Note:
    • You can disable the alert by simply unselecting the OCSP Health responder check box.
    • Whatever updates are made to alerts on the Settings page will be updated automatically for the AppViewX Native CA Alerts in the Notification Center. If you make any updates to the AppViewX Native CA Alerts in the Notification Center, then the same will be reflected in the Alerts section of the Settings page.

AppViewX Native OCSP Responder Certificate/Signing Key

Configure alerts to monitor OCSP responder certificate status, including expiration, missing certificates, and expired signing certificates. Set alert thresholds, select notification methods (email or in-app), and define recipients to maintain responder availability and prevent certificate validation failures.
  1. Enable/Disable the OCSP Responder Certificate Expiry alerts.
    Table 5. Fields to configure OCSP Responder Certificate Expiry section
    Field Description
    OCSP Responder Certificate Expiry By default, this check box is not selected. Select the check box to display the following fields:
    Field Description
    *Alert when expiring within Triggers an alert when the item is within the specified number of days before its expiration date.
    Preferred Communication Method Select from the following options by which you would like to be notified about the impending alert:
    • Via Email (default)
    • In-App Communication
    • Both
    Recipient Category When the configured threshold is reached, the system sends an alert to the selected recipients. Choose one of the following recipient types:
    • User (default)
    • User Group
    • Email/Distro
    After you select a recipient type, a text field appears where you can specify the corresponding recipients, such as users, user groups, or email/distribution addresses.
    *: Mandatory fields
  2. Click Save.
    A message, Alert settings saved successfully, appears.
  3. Enable/Disable the OCSP Responder Certificate Missing/Not Configured alerts.
    Table 6. Fields to configure OCSP Responder Certificate Missing/Not Configured section
    Field Description
    OCSP Responder Certificate Missing/Not Configured By default, this check box is not selected. Select the check box to display the following fields:
    Field Description
    Preferred Communication Method Select from the following options by which you would like to be notified about the impending alert:
    • Via Email (default)
    • In-App Communication
    • Both
    Recipient Category When the configured threshold is reached, the system sends an alert to the selected recipients. Choose one of the following recipient types:
    • User (default)
    • User Group
    • Email/Distro
    After you select a recipient type, a text field appears where you can specify the corresponding recipients, such as users, user groups, or email/distribution addresses.
    *: Mandatory fields
  4. Click Save.
    A message, Alert settings saved successfully, appears.
  5. Enable/Disable the OCSP Responder Using Expired Signing Certificate alerts.
    Table 7. Fields to configure OCSP Responder Using Expired Signing Certificate section
    Field Description
    OCSP Responder Using Expired Signing Certificate By default, this check box is not selected. Select the check box to display the following fields:
    Field Description
    Preferred Communication Method Select from the following options by which you would like to be notified about the impending alert:
    • Via Email (default)
    • In-App Communication
    • Both
    Recipient Category When the configured threshold is reached, the system sends an alert to the selected recipients. Choose one of the following recipient types:
    • User (default)
    • User Group
    • Email/Distro
    After you select a recipient type, a text field appears where you can specify the corresponding recipients, such as users, user groups, or email/distribution addresses.
    *: Mandatory fields
  6. Click Save.
    A message, Alert settings saved successfully, appears.
    Note:
    • You can disable the alert by simply unselecting the OCSP Responder Certificate Expiry/OCSP Responder Certificate Missing/Not Configured/OCSP Responder Using Expired Signing Certificate check box.
    • Whatever updates are made to alerts on the Settings page will be updated automatically for the AppViewX Native CA Alerts in the Notification Center. If you make any updates to the AppViewX Native CA Alerts in the Notification Center, then the same will be reflected in the Alerts section of the Settings page.

AppViewX Native CRL Availability

Use this section to configure CRL publication failure alerts for AppViewX Native PKI. Enable alerts when a CRL cannot be published to its configured distribution point, choose notification methods (email or in-app), and specify recipients so that publication issues are detected early and revocation information remains available.
  1. Enable/Disable the CRL Publication Failure alerts.
    Table 8. Fields to configure CRL Publication Failure section
    Field Description
    CRL Publication Failure By default, this check box is not selected. Select the check box to display the following fields:
    Field Description
    Preferred Communication Method Select from the following options by which you would like to be notified about the impending alert:
    • Via Email (default)
    • In-App Communication
    • Both
    Recipient Category When the configured threshold is reached, the system sends an alert to the selected recipients. Choose one of the following recipient types:
    • User (default)
    • User Group
    • Email/Distro
    After you select a recipient type, a text field appears where you can specify the corresponding recipients, such as users, user groups, or email/distribution addresses.
    *: Mandatory fields
  2. Click Save.
    A message, Alert settings saved successfully, appears.
  3. Use this section to configure CRL Not Generated on Schedule alerts for AppViewX Native PKI. Set delay thresholds in hours for when a scheduled CRL is not generated on time, choose notification methods (email or in-app), and specify recipients to ensure CRLs are regenerated promptly.
  4. Enable/Disable the CRL Not Generated on Schedule alerts.
    Table 9. Fields to configure CRL Not Generated on Schedule section
    Field Description
    CRL Not Generated on Schedule By default, this check box is not selected. Select the check box to display the following fields:
    Field Description
    *Alert if Delayed By Triggers an alert when CRL generation exceeds the scheduled time by the specified hours (1-24 hours).
    Preferred Communication Method Select from the following options by which you would like to be notified about the impending alert:
    • Via Email (default)
    • In-App Communication
    • Both
    Recipient Category When the configured threshold is reached, the system sends an alert to the selected recipients. Choose one of the following recipient types:
    • User (default)
    • User Group
    • Email/Distro
    After you select a recipient type, a text field appears where you can specify the corresponding recipients, such as users, user groups, or email/distribution addresses.
    *: Mandatory fields
  5. Click Save.
    A message, Alert settings saved successfully, appears.
    Note:
    • You can disable the alert by simply unselecting the CRL publication failure/CRL Not Generated on Schedule check box.
    • Whatever updates are made to alerts on the Settings page will be updated automatically for the AppViewX Native CA Alerts in the Notification Center. If you make any updates to the AppViewX Native CA Alerts in the Notification Center, then the same will be reflected in the Alerts section of the Settings page.

AppViewX Native CRL Certificate and Validity

Use this section to configure CRL expiry alerts for AppViewX Native PKI. Define how many hours before CRL expiry an alert should trigger, choose notification methods (email or in-app), and specify recipients so that CRLs are renewed and published before they expire, preventing revocation data from going stale.
  1. Enable/Disable the CRL Expiry alerts.
    Table 10. Fields to configure CRL Expiry section
    Field Description
    CRL Expiry By default, this check box is not selected. Select the check box to display the following fields:
    Field Description
    *Alert when expiring within Triggers an alert when the CRL is within the specified hours before expiration (minimum 1 hour, maximum 168 hours).
    Preferred Communication Method Select from the following options by which you would like to be notified about the impending alert:
    • Via Email (default)
    • In-App Communication
    • Both
    Recipient Category When the configured threshold is reached, the system sends an alert to the selected recipients. Choose one of the following recipient types:
    • User (default)
    • User Group
    • Email/Distro
    After you select a recipient type, a text field appears where you can specify the corresponding recipients, such as users, user groups, or email/distribution addresses.
    *: Mandatory fields
  2. Click Save.
    A message, Alert settings saved successfully, appears.
    Note:
    • You can disable the alert by simply unselecting the CRL Expiry check box.
    • Whatever updates are made to alerts on the Settings page will be updated automatically for the AppViewX Native CA Alerts in the Notification Center. If you make any updates to the AppViewX Native CA Alerts in the Notification Center, then the same will be reflected in the Alerts section of the Settings page.
What to do Next:
  • Enable Templates and Issue Certificate functions by going to (Menu) > Platform > Role. Search for the created administrator role and click the link. Switch to the Authorized functions tab and select the Templates and Issue Certificate check boxes in the PKI module.