Help Center> Cloud Certificate Manager> Best Practices> Best Practices for Private Certificate Management> Best Practices for Private CA Management> Managing the Private CA Lifecycle
Updated on 2022-07-08 GMT+08:00
View PDF

Managing the Private CA Lifecycle

Creating a CA

Private CAs are classified into root CAs and subordinate CAs. You can specify the type of the CA you want to create. The root CA is directly created from the digital signature certificate. A subordinate CA subordinates to its parent CA. Before creating a subordinate CA, create its parent CA. With PCA, you can create:

  • A root CA. After a root CA is created, it is in the Activated status by default. A root CA. The key of a root CA is used only for digital signature, issuing certificates, and signing certificate revocation lists (CRLs), which cannot be customized. It means a root CA can be used only to issue certificates, revoke certificates, and sign CRLs.
  • A subordinate CA and activate it. In this manner, after a subordinate CA is created, it is in the Activated status. By default, the key usage of a subordinate CA is the same as that of the root CA, but you can customize the key usage of a subordinate CA.
  • A subordinate CA but do not activate it. After a subordinate CA is created, it is in the Pending activation status. A subordinate CA in this state is not ready for any use until it is activated, and you can delete it directly.

The common name of a private CA can be duplicate. Identifiers are recommended for you to distinguish CAs, for example, ROOT CA G0 and ROOT CA G1.

Activating a CA

A subordinate CA in the Pending activation status cannot be used until you activate it. Once a subordinate CA is activated, the billing starts, and there is no way to let it go back to the Pending activation status.

Disabling a CA

After you disable a private CA, it cannot issue certificates, but it can still revoke certificates and sign CRLs. Only activated private CAs can be disabled. After you disable a private CA, its status changes to Disabled.

Generally, if a CA is about to expire, it is disabled to ensure that new certificates are issued by a new CA. The old CA can still revoke certificates it issued. Old certificates can still work before they are replaced by the new ones.

Enabling a CA

You can enable a Disabledprivate CA and use it to issue certificates. After you enable a Disabled private CA, its status changes to Activated.

Deleting a CA

You can delete a private CA. To prevent misoperations, the PCA service offers different policies for you to respond to the deletion of CAs in different statuses.

  • Disabled and Expired: Only scheduled deletion is allowed. You can schedule a delay of 7 to 30 days for actual deletion of a CA. During the scheduled deletion period, the CA is in the Pending deletion status. If a CA is in the Pending deletion status, you can cancel the deletion to restore the certificate to the Disabled or Expired status. Once the scheduled deletion time is triggered, the CA is deleted as planned and cannot be restored.
  • Pending activation or Revoked: CAs in these statuses can only be deleted immediately. Once a CA is deleted, it is deleted immediately and cannot be restored.
  • Activated: An activated CA cannot be directly deleted. To delete it, disable it first.

After a private CA is deleted permanently, all certificates under it cannot be revoked, all private certificates issued by it or its subordinate CAs cannot be exported, and the CRL cannot be updated. Exercise caution when performing this operation.

  • Before deleting a private CA, check whether the private CA is still in use and whether your PKI system will be unavailable after the deletion.
  • Before deleting a private CA, if the private CA is no longer used, revoke all its certificates that have not expired and remove them from the trust list of all terminals. (If the private CA is a subordinate CA, revoke it and then delete it.)

Canceling Deletion of A Private CA

Restore the private CA in the Pending deletion status to the state before the deletion.

If you cancel a scheduled deletion, the pending deletion period of the private CA will still be billed. Exercise caution when performing this operation.

Revoking a Private CA

You can revoke a subordinate CA that is no longer used or whose key material has been leaked. A revoked subordinate CA is useless and cannot be restored. If the CRL configuration is enabled for the parent CA, you can query the revocation information in the CRL of the parent CA.

  • Revoking a CA is a risky operation. Exercise caution when performing this operation.
  • During the validation, the certificate revocation list (CRL) is queried to check whether the certificate is revoked. Otherwise, a revoked certificate may be used during communications, which incurs security risks.
  • If a private CA is revoked, all certificates issued by it or its child CAs are put into the CRL and no longer trusted. Any validation of certificate chains containing the revoked private CA fails.

Procedure for Handling CA Expiration

When a private CA expires, the private CA status will be changed to Expired.