11.3.6.1. The command bar of PKI management

The Command bar of the PKI management window contains the different commands that can be issued for the certificate or the CA selected.

PKI management commands

Figure 11.8. PKI management commands

The available commands are:

  • Sign: This action is available only for internal CAs, used to sign certificate signing requests (CSRs). After clicking on it, a list of unsigned CSRs is displayed. The list shows the distinguished names of the CSRs. Parameters for the certificate to be signed can be overridden here (period of validity, X.509 extensions, and so on).

    Note

    It is possible to multi-select a number of certificates for this activity, that is to sign multiple internal CAs or CSRs at once.

  • Refresh: This command can be used to refresh certificates, that is, to renew them by extending their validity period if expired, or also to create new keys to the certificate. Key generation is only performed if the Regenerate private key checkbox is selected.

    Tip

    It is recommended to regenerate the keys as well when refreshing a certificate for any reason.

  • Refresh CRL: It is available only for CAs. The CRL of the CA is valid until the time specified. The refreshed CRL will only be used on the managed hosts after distribution. MS distributes certificate entities, that is, when distributing certificates the corresponding CRLs are automatically distributed as well.

  • Revoke: It is available only for certificates signed by an internal CA. It marks the certificate as invalid and adds it to the CRL of the CA. CA certificates can also be revoked this way.

    Note

    Self-signed certificates (that is, certificates of local root CAs) cannot be revoked.

    Note

    It is possible to multi-select a number of certificates for the Revoke activity. However, if the Issuer of the selected certificates is not the same, the Revoke button will not be active.

    Note

    If any certificate selected for Revoke is in use in the current configuration, a warning will be displayed to inform the administrator. It is important that in case a certificate is in use, it cannot be revoked. If the certificate in use is part of a multiple selection of certificates for the Revoke activity, none of the selected certificates will be revoked.

    If any of the certificates selected for Revoke is used in the configuration, a similar warning is displayed:

    Certificate used in the configuration warning

    Figure 11.9. Certificate used in the configuration warning

The table below briefly summarizes the CAs created and used by default in PNS.

Name of the CAPurpose
MS_Root_CA The Root CA of PNS is used to sign certificates of all other local CAs in PNS.
MS_Engine_CA It signs the certificate of the MS engine.
MS_Agent_CA It signs the certificates of the transfer agents.

Table 11.1. Default CAs and their purpose

For details on configuring agent and engine certificates, please refer to Chapter 13, Advanced MS and Agent configuration.