CA Actions

Prerequisites

Prior to performing any action on the CA, ensure that you have necessary role-based access controls and workflow access pertaining to the CA request.

You can perform the following actions from the Actions menu of the PKIaaS Management page:

Enable

You can enable a root CA or a subordinate CA. Certificates can be issued from this CA. CRLs are generated for this CA.

To enable CA:

  1. Go to (Menu) icon > PKI+ > CA Inventory.
    The CA Inventory page appears.
  2. Select the check box against the CA Name you want to enable.
  3. Click Actions and select Enable from the dropdown menu.

    The approval status of the CA changes to Enable - Approval Pending. If you want to abort the action, then click Abort.

  4. An email from AppViewX PKIaaS for approval is sent to all active custodians. Approval can be done either via email or by clicking the (Notification Center) on the top right-hand-corner of the page. Once the approval meets the quorum value, the CA is enabled. The approval status of the CA changes to Enable - Approved and the status changes to Active. If the request is rejected, then the approval status of the CA changes to Enable - Rejected. Click Resubmit if the action fails for any reason.

    A message that the operation is performed successfully appears.

    You can follow the aforesaid steps to enable CAs.

    You can view all the enabled CAs by selecting Enabled option from Filter by Status.

Disable

You can disable a root CA or a subordinate CA. No certificates can be issued from a disabled CA. CRLs will still be generated.

To disable CA:

  1. Go to (Menu) icon > PKI+ > CA Inventory.
    The CA Inventory page appears.
  2. Select the check box against the CA Name you want to disable.
  3. Click Actions and select Disable from the dropdown menu.
    The approval status of the CA changes to Disable - Approval Pending and the status remains as Active. If you want to abort the action, then click Abort.
  4. An email from AppViewX PKIaaS for approval is sent to all active custodians. Approval can be done either via email or by clicking the (Notification Center) on the top right-hand-corner of the page. Once the approval meets the quorum value, the CA is disabled. The approval status of the CA changes to Disable - Approved and the status to Disabled. If the request is rejected, then the approval status changes to Disable - Rejected and the status remains as Active. Click Resubmit if the action fails for any reason.
    You can follow the aforesaid steps to disable CAs.

    You can view all the disabled CAs by selecting Disabled option from Filter by Status.

Renew

CA certificates are fundamental to public key infrastructure (PKI) systems. When the CA certificate approaches its expiration date, it is crucial to renew it to maintain the integrity of encrypted communications and the security of the entire ecosystem relying on it.

If you want to extend the validity of the current CA using same private key, you can renew it within the existing PKI inventory.
Note: Renewal action is applicable only for certificates issued by AVX Native CA.
Before starting the renewal process, ensure that you:
  • Check the expiration date of the existing CA certificate.
  • Identify all dependent systems, certificates, and services relying on the CA to be renewed.
  • Review the signature algorithms and the certificate policies to ensure they adhere to the current security standards.

To renew CA:

  1. Go to (Menu) icon > PKI+ > CA Inventory.
    The CA Inventory page appears.
  2. Select the check box against the CA Name you want to renew.
  3. Click Actions and select Renew from the dropdown menu.
    The Renew CA page is displayed.
    Note: All fields are read-only except for Template, Valid for, Configure CA Subject DN Detail, and Key Size and Algorithm.
  4. Enter the renewal period in the Valid for field.
  5. Modify the Key Size and Algorithm, if required.
  6. Click Renew.
    A Confirm CA Renewal pop-up window with the message, CA certificate will be replaced all references to the previous, with the newly renewed CA certificate in auto-enrollment, policy and enrollment pages, is displayed.
  7. Click Proceed to confirm the changes.
    The custodians receive an email with the subject line, PKIaaS CA Management: CA renewal, in their inbox. Approval can be done either via email or by clicking the (Notification Center) on the top right-hand-corner of the page.

    Once the necessary custodian approvals are completed, the Approval Status changes from Renewal - Approval Pending to Renewal Approved.

What to do next:
  • You can enroll certifications by referring to the steps detailed in the Section, Adding/Enrolling Certificate.
  • You can click the View Certificate () icon and click the Common Name to access the holistic view and download the certificate.
  • You can view the audit log.

Revoke

Certificate revocation is the process of invalidating a digital certificate before its scheduled expiration date. Revocation is typically done when a CA’s certificate is compromised, expired, or no longer needed. This is done to ensure the security and trustworthiness of systems that rely on certificates for authentication, encryption, and secure communication. As soon as the certificate is revoked, the certificate is no longer considered to be trusted. Revoked certificates are listed in the Certificate Revocation List (CRL) maintained by each certificate authority.
Note: Revocation can be performed only on PKIaaS subordinate CAs.

To revoke CA:

  1. Go to (Menu) icon > PKI+ > CA Inventory.
    The CA Inventory page appears.
  2. Select the check box against the CA Name you want to renew.
  3. Click Actions and select Revoke from the dropdown menu.
    The CA Certificate Revoke window is displayed.
  4. Select the reason for revocation from the dropdown list.

    By default, the reason for revocation is set to Key compromise, and the Revoke All Certificates checkbox is disabled. This action will revoke every CA certificate linked to this private key, including all the renewed versions. As a result, all related end-entity certificates will be invalidated.

    On selecting a different revocation reason and unselecting the Revoke All Certificates checkbox, you can revoke only the currently active CA certificate linked to this private key. As a result, all related end-entity certificates will be invalidated.

  5. Click Revoke.
    A message, Revoking this Certificate Authority (CA) may disrupt certificate validation and affect trust for all issued certificates. Please ensure that you understand the impact before proceeding with revocation.This will affect the autoenrollment configuration. Please verify the autoenrollment settings having this CA, is displayed.
  6. Click Proceed to confirm the changes.
    The custodians receive an email with the subject line, PKIaaS CA Management: CA revocation, in their inbox. Approval can be done either via email or by clicking the (Notification Center) on the top right-hand-corner of the page.

    Once the necessary custodian approvals are completed, the Approval Status changes from Revocation - Approval Pending to Revocation Approved.

    You can view all the revoked CAs by selecting Revoked option from Filter by Status.

Delete

Before you begin:
  • Remove the CA you want to delete from any auto-enrollment settings, policies, or workflows that are used to issue or revoke certificates from that CA.
  • Check for any unrevoked and unexpired certificates that may have been deleted from the AppViewX inventory by running a CA discovery to get all the valid certificates issued by that CA for revocation.

You can delete a root CA or a subordinate CA (PKIaaS or external). Once the CA has been deleted, no new certificates can be issued from this CA and no new CRLs will be generated.

To delete CA:

  1. Go to (Menu) icon > PKI+ > CA Inventory.
    The CA Inventory page appears.
  2. Select the check box against the CA you want to delete.
  3. Click Actions and select Delete from the dropdown menu.
    Note:
    • If you are deleting a subordinate CA and if there are valid certificates issued by the CA, then you get a message that you must first revoke the certificates and the CA certificate before deleting the CA. The revocation of certificates is permanent and not reversible. Click Continue to view the certificates that will be revoked. Click Revoke and Delete CA.
    • If the CA has no active certificates, then the delete workflow is triggered.

    The approval status of the CA changes to Delete - Approval Pending. If you want to abort the action, then click Abort.

  4. An email from AppViewX PKIaaS for approval is sent to all active custodians. Approval can be done either via email or by clicking the (Notification Center) on the top right-hand-corner of the page. Once the approval meets the quorum value, the approval status of the CA changes to Delete - Approved and the status changes to Deleted. If the request is rejected, then the approval status of the CA changes to Delete - Rejected. Click Resubmit if the action fails for any reason.
    A message that the operation is performed successfully appears.
    Note:
    • If deletion fails, reach out to [email protected].
    • You can view all the deleted CAs by selecting Deleted option from Filter by Status.