[{"data":1,"prerenderedAt":846},["ShallowReactive",2],{"navigation_docs":3,"-docs-concepts-certificate-lifecycle":86,"-docs-concepts-certificate-lifecycle-surround":841},[4,22,31,48,65],{"title":5,"path":6,"stem":7,"children":8,"page":21},"Api","\u002Fdocs\u002Fapi","docs\u002Fapi",[9,13,17],{"title":10,"path":11,"stem":12},"CLI Reference","\u002Fdocs\u002Fapi\u002Fcli-reference","docs\u002Fapi\u002F1.cli-reference",{"title":14,"path":15,"stem":16},"ZMQ Protocol Reference","\u002Fdocs\u002Fapi\u002Fzmq-protocol","docs\u002Fapi\u002F2.zmq-protocol",{"title":18,"path":19,"stem":20},"Error Codes","\u002Fdocs\u002Fapi\u002Ferror-codes","docs\u002Fapi\u002F3.error-codes",false,{"title":23,"path":24,"stem":25,"children":26,"page":21},"Community","\u002Fdocs\u002Fcommunity","docs\u002Fcommunity",[27],{"title":28,"path":29,"stem":30},"Contributing","\u002Fdocs\u002Fcommunity\u002Fcontributing","docs\u002Fcommunity\u002F1.contributing",{"title":32,"path":33,"stem":34,"children":35,"page":21},"Concepts","\u002Fdocs\u002Fconcepts","docs\u002Fconcepts",[36,40,44],{"title":37,"path":38,"stem":39},"Architecture","\u002Fdocs\u002Fconcepts\u002Farchitecture","docs\u002Fconcepts\u002F1.architecture",{"title":41,"path":42,"stem":43},"Certificate Lifecycle","\u002Fdocs\u002Fconcepts\u002Fcertificate-lifecycle","docs\u002Fconcepts\u002F2.certificate-lifecycle",{"title":45,"path":46,"stem":47},"Security Model","\u002Fdocs\u002Fconcepts\u002Fsecurity-model","docs\u002Fconcepts\u002F3.security-model",{"title":49,"path":50,"stem":51,"children":52,"page":21},"Getting Started","\u002Fdocs\u002Fgetting-started","docs\u002Fgetting-started",[53,57,61],{"title":54,"path":55,"stem":56},"Introduction","\u002Fdocs\u002Fgetting-started\u002Fintroduction","docs\u002Fgetting-started\u002F1.introduction",{"title":58,"path":59,"stem":60},"Installation","\u002Fdocs\u002Fgetting-started\u002Finstallation","docs\u002Fgetting-started\u002F2.installation",{"title":62,"path":63,"stem":64},"Quick Start","\u002Fdocs\u002Fgetting-started\u002Fquick-start","docs\u002Fgetting-started\u002F3.quick-start",{"title":66,"path":67,"stem":68,"children":69,"page":21},"Guides","\u002Fdocs\u002Fguides","docs\u002Fguides",[70,74,78,82],{"title":71,"path":72,"stem":73},"Configuration","\u002Fdocs\u002Fguides\u002Fconfiguration","docs\u002Fguides\u002F1.configuration",{"title":75,"path":76,"stem":77},"Certificate Profiles","\u002Fdocs\u002Fguides\u002Fcertificate-profiles","docs\u002Fguides\u002F2.certificate-profiles",{"title":79,"path":80,"stem":81},"Docker Deployment","\u002Fdocs\u002Fguides\u002Fdocker-deployment","docs\u002Fguides\u002F3.docker-deployment",{"title":83,"path":84,"stem":85},"Importing an Existing CA","\u002Fdocs\u002Fguides\u002Fimporting-existing-ca","docs\u002Fguides\u002F4.importing-existing-ca",{"id":87,"title":41,"body":88,"description":834,"extension":835,"links":836,"meta":837,"navigation":838,"path":42,"seo":839,"stem":43,"__hash__":840},"docs\u002Fdocs\u002Fconcepts\u002F2.certificate-lifecycle.md",{"type":89,"value":90,"toc":817},"minimark",[91,95,100,104,115,175,179,187,190,197,345,352,359,364,455,462,465,469,476,541,548,552,556,640,677,684,688,752,755,759,762,806,813],[92,93,41],"h1",{"id":94},"certificate-lifecycle",[96,97,99],"h2",{"id":98},"states","States",[101,102,103],"p",{},"A certificate in uPKI CA goes through the following states:",[105,106,111],"pre",{"className":107,"code":109,"language":110},[108],"language-text","[not issued] → issued → revoked → unrevoked → issued\n                  └──────────────────────────► deleted\n","text",[112,113,109],"code",{"__ignoreMap":114},"",[116,117,118,131],"table",{},[119,120,121],"thead",{},[122,123,124,128],"tr",{},[125,126,127],"th",{},"State",[125,129,130],{},"Description",[132,133,134,145,155,165],"tbody",{},[122,135,136,142],{},[137,138,139],"td",{},[112,140,141],{},"issued",[137,143,144],{},"Certificate is valid and included in the trust chain",[122,146,147,152],{},[137,148,149],{},[112,150,151],{},"revoked",[137,153,154],{},"Certificate is listed in the CRL with a revocation reason",[122,156,157,162],{},[137,158,159],{},[112,160,161],{},"unrevoked",[137,163,164],{},"Certificate has been re-validated after revocation",[122,166,167,172],{},[137,168,169],{},[112,170,171],{},"deleted",[137,173,174],{},"Certificate and its key have been permanently removed from storage",[96,176,178],{"id":177},"generation-methods","Generation methods",[180,181,183,186],"h3",{"id":182},"generate-full-key-generation",[112,184,185],{},"generate"," — full key generation",[101,188,189],{},"The CA generates both the private key and the certificate. The private key is stored inside the CA's data directory.",[101,191,192,196],{},[193,194,195],"strong",{},"Use when",": You control the endpoint and are comfortable with the CA holding the private key.",[105,198,202],{"className":199,"code":200,"language":201,"meta":114,"style":114},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"TASK\": \"generate\",\n  \"params\": {\n    \"cn\": \"server.example.internal\",\n    \"profile\": \"server\",\n    \"sans\": [\"server.example.internal\", \"192.168.1.10\"]\n  }\n}\n","json",[112,203,204,213,240,255,278,299,333,339],{"__ignoreMap":114},[205,206,209],"span",{"class":207,"line":208},"line",1,[205,210,212],{"class":211},"sMK4o","{\n",[205,214,216,219,223,226,229,232,235,237],{"class":207,"line":215},2,[205,217,218],{"class":211},"  \"",[205,220,222],{"class":221},"spNyl","TASK",[205,224,225],{"class":211},"\"",[205,227,228],{"class":211},":",[205,230,231],{"class":211}," \"",[205,233,185],{"class":234},"sfazB",[205,236,225],{"class":211},[205,238,239],{"class":211},",\n",[205,241,243,245,248,250,252],{"class":207,"line":242},3,[205,244,218],{"class":211},[205,246,247],{"class":221},"params",[205,249,225],{"class":211},[205,251,228],{"class":211},[205,253,254],{"class":211}," {\n",[205,256,258,261,265,267,269,271,274,276],{"class":207,"line":257},4,[205,259,260],{"class":211},"    \"",[205,262,264],{"class":263},"sBMFI","cn",[205,266,225],{"class":211},[205,268,228],{"class":211},[205,270,231],{"class":211},[205,272,273],{"class":234},"server.example.internal",[205,275,225],{"class":211},[205,277,239],{"class":211},[205,279,281,283,286,288,290,292,295,297],{"class":207,"line":280},5,[205,282,260],{"class":211},[205,284,285],{"class":263},"profile",[205,287,225],{"class":211},[205,289,228],{"class":211},[205,291,231],{"class":211},[205,293,294],{"class":234},"server",[205,296,225],{"class":211},[205,298,239],{"class":211},[205,300,302,304,307,309,311,314,316,318,320,323,325,328,330],{"class":207,"line":301},6,[205,303,260],{"class":211},[205,305,306],{"class":263},"sans",[205,308,225],{"class":211},[205,310,228],{"class":211},[205,312,313],{"class":211}," [",[205,315,225],{"class":211},[205,317,273],{"class":234},[205,319,225],{"class":211},[205,321,322],{"class":211},",",[205,324,231],{"class":211},[205,326,327],{"class":234},"192.168.1.10",[205,329,225],{"class":211},[205,331,332],{"class":211},"]\n",[205,334,336],{"class":207,"line":335},7,[205,337,338],{"class":211},"  }\n",[205,340,342],{"class":207,"line":341},8,[205,343,344],{"class":211},"}\n",[180,346,348,351],{"id":347},"sign-external-csr",[112,349,350],{},"sign"," — external CSR",[101,353,354,355,358],{},"The caller generates the private key locally and submits a PKCS#10 CSR. The CA signs it and returns the certificate. The private key ",[193,356,357],{},"never"," leaves the caller.",[101,360,361,363],{},[193,362,195],{},": Private key must not leave the client (mTLS, HSM scenarios).",[105,365,367],{"className":199,"code":366,"language":201,"meta":114,"style":114},"{\n  \"TASK\": \"sign\",\n  \"params\": {\n    \"csr\": \"-----BEGIN CERTIFICATE REQUEST-----\\n...\",\n    \"profile\": \"server\"\n  }\n}\n",[112,368,369,373,391,403,430,447,451],{"__ignoreMap":114},[205,370,371],{"class":207,"line":208},[205,372,212],{"class":211},[205,374,375,377,379,381,383,385,387,389],{"class":207,"line":215},[205,376,218],{"class":211},[205,378,222],{"class":221},[205,380,225],{"class":211},[205,382,228],{"class":211},[205,384,231],{"class":211},[205,386,350],{"class":234},[205,388,225],{"class":211},[205,390,239],{"class":211},[205,392,393,395,397,399,401],{"class":207,"line":242},[205,394,218],{"class":211},[205,396,247],{"class":221},[205,398,225],{"class":211},[205,400,228],{"class":211},[205,402,254],{"class":211},[205,404,405,407,410,412,414,416,419,423,426,428],{"class":207,"line":257},[205,406,260],{"class":211},[205,408,409],{"class":263},"csr",[205,411,225],{"class":211},[205,413,228],{"class":211},[205,415,231],{"class":211},[205,417,418],{"class":234},"-----BEGIN CERTIFICATE REQUEST-----",[205,420,422],{"class":421},"sTEyZ","\\n",[205,424,425],{"class":234},"...",[205,427,225],{"class":211},[205,429,239],{"class":211},[205,431,432,434,436,438,440,442,444],{"class":207,"line":280},[205,433,260],{"class":211},[205,435,285],{"class":263},[205,437,225],{"class":211},[205,439,228],{"class":211},[205,441,231],{"class":211},[205,443,294],{"class":234},[205,445,446],{"class":211},"\"\n",[205,448,449],{"class":207,"line":301},[205,450,338],{"class":211},[205,452,453],{"class":207,"line":335},[205,454,344],{"class":211},[180,456,458,461],{"id":457},"register-node-self-registration",[112,459,460],{},"register"," — node self-registration",[101,463,464],{},"Used by RA nodes during their initial registration. Combines key generation and certificate issuance in one step, authenticated by a shared seed.",[96,466,468],{"id":467},"renewal","Renewal",[101,470,471,472,475],{},"Renewing a certificate extends its validity without changing the key pair. The ",[112,473,474],{},"dn"," (Distinguished Name) uniquely identifies the certificate to renew.",[105,477,479],{"className":199,"code":478,"language":201,"meta":114,"style":114},"{\n  \"TASK\": \"renew\",\n  \"params\": {\n    \"dn\": \"\u002FCN=server.example.internal\"\n  }\n}\n",[112,480,481,485,504,516,533,537],{"__ignoreMap":114},[205,482,483],{"class":207,"line":208},[205,484,212],{"class":211},[205,486,487,489,491,493,495,497,500,502],{"class":207,"line":215},[205,488,218],{"class":211},[205,490,222],{"class":221},[205,492,225],{"class":211},[205,494,228],{"class":211},[205,496,231],{"class":211},[205,498,499],{"class":234},"renew",[205,501,225],{"class":211},[205,503,239],{"class":211},[205,505,506,508,510,512,514],{"class":207,"line":242},[205,507,218],{"class":211},[205,509,247],{"class":221},[205,511,225],{"class":211},[205,513,228],{"class":211},[205,515,254],{"class":211},[205,517,518,520,522,524,526,528,531],{"class":207,"line":257},[205,519,260],{"class":211},[205,521,474],{"class":263},[205,523,225],{"class":211},[205,525,228],{"class":211},[205,527,231],{"class":211},[205,529,530],{"class":234},"\u002FCN=server.example.internal",[205,532,446],{"class":211},[205,534,535],{"class":207,"line":280},[205,536,338],{"class":211},[205,538,539],{"class":207,"line":301},[205,540,344],{"class":211},[101,542,543,544,547],{},"An optional ",[112,545,546],{},"duration"," parameter (in days) overrides the profile's default validity period.",[96,549,551],{"id":550},"revocation","Revocation",[180,553,555],{"id":554},"revoke","Revoke",[105,557,559],{"className":199,"code":558,"language":201,"meta":114,"style":114},"{\n  \"TASK\": \"revoke\",\n  \"params\": {\n    \"dn\": \"\u002FCN=compromised.example.internal\",\n    \"reason\": \"keyCompromise\"\n  }\n}\n",[112,560,561,565,583,595,614,632,636],{"__ignoreMap":114},[205,562,563],{"class":207,"line":208},[205,564,212],{"class":211},[205,566,567,569,571,573,575,577,579,581],{"class":207,"line":215},[205,568,218],{"class":211},[205,570,222],{"class":221},[205,572,225],{"class":211},[205,574,228],{"class":211},[205,576,231],{"class":211},[205,578,554],{"class":234},[205,580,225],{"class":211},[205,582,239],{"class":211},[205,584,585,587,589,591,593],{"class":207,"line":242},[205,586,218],{"class":211},[205,588,247],{"class":221},[205,590,225],{"class":211},[205,592,228],{"class":211},[205,594,254],{"class":211},[205,596,597,599,601,603,605,607,610,612],{"class":207,"line":257},[205,598,260],{"class":211},[205,600,474],{"class":263},[205,602,225],{"class":211},[205,604,228],{"class":211},[205,606,231],{"class":211},[205,608,609],{"class":234},"\u002FCN=compromised.example.internal",[205,611,225],{"class":211},[205,613,239],{"class":211},[205,615,616,618,621,623,625,627,630],{"class":207,"line":280},[205,617,260],{"class":211},[205,619,620],{"class":263},"reason",[205,622,225],{"class":211},[205,624,228],{"class":211},[205,626,231],{"class":211},[205,628,629],{"class":234},"keyCompromise",[205,631,446],{"class":211},[205,633,634],{"class":207,"line":301},[205,635,338],{"class":211},[205,637,638],{"class":207,"line":335},[205,639,344],{"class":211},[101,641,642,643,645,646,649,650,649,652,649,655,649,658,649,661,649,664,649,667,649,670,649,673,676],{},"Valid ",[112,644,620],{}," values: ",[112,647,648],{},"unspecified",", ",[112,651,629],{},[112,653,654],{},"cACompromise",[112,656,657],{},"affiliationChanged",[112,659,660],{},"superseded",[112,662,663],{},"cessationOfOperation",[112,665,666],{},"certificateHold",[112,668,669],{},"removeFromCRL",[112,671,672],{},"privilegeWithdrawn",[112,674,675],{},"aACompromise",".",[101,678,679,680,683],{},"Revoked certificates are added to the CRL on the next ",[112,681,682],{},"generate_crl"," call.",[180,685,687],{"id":686},"unrevoke","Unrevoke",[105,689,691],{"className":199,"code":690,"language":201,"meta":114,"style":114},"{\n  \"TASK\": \"unrevoke\",\n  \"params\": {\n    \"dn\": \"\u002FCN=previously-revoked.example.internal\"\n  }\n}\n",[112,692,693,697,715,727,744,748],{"__ignoreMap":114},[205,694,695],{"class":207,"line":208},[205,696,212],{"class":211},[205,698,699,701,703,705,707,709,711,713],{"class":207,"line":215},[205,700,218],{"class":211},[205,702,222],{"class":221},[205,704,225],{"class":211},[205,706,228],{"class":211},[205,708,231],{"class":211},[205,710,686],{"class":234},[205,712,225],{"class":211},[205,714,239],{"class":211},[205,716,717,719,721,723,725],{"class":207,"line":242},[205,718,218],{"class":211},[205,720,247],{"class":221},[205,722,225],{"class":211},[205,724,228],{"class":211},[205,726,254],{"class":211},[205,728,729,731,733,735,737,739,742],{"class":207,"line":257},[205,730,260],{"class":211},[205,732,474],{"class":263},[205,734,225],{"class":211},[205,736,228],{"class":211},[205,738,231],{"class":211},[205,740,741],{"class":234},"\u002FCN=previously-revoked.example.internal",[205,743,446],{"class":211},[205,745,746],{"class":207,"line":280},[205,747,338],{"class":211},[205,749,750],{"class":207,"line":301},[205,751,344],{"class":211},[101,753,754],{},"Removes the certificate from the CRL and marks it as valid again.",[96,756,758],{"id":757},"crl-management","CRL management",[101,760,761],{},"The CRL must be regenerated manually (or on a schedule) after revocations:",[105,763,765],{"className":199,"code":764,"language":201,"meta":114,"style":114},"{\n  \"TASK\": \"generate_crl\",\n  \"params\": {}\n}\n",[112,766,767,771,789,802],{"__ignoreMap":114},[205,768,769],{"class":207,"line":208},[205,770,212],{"class":211},[205,772,773,775,777,779,781,783,785,787],{"class":207,"line":215},[205,774,218],{"class":211},[205,776,222],{"class":221},[205,778,225],{"class":211},[205,780,228],{"class":211},[205,782,231],{"class":211},[205,784,682],{"class":234},[205,786,225],{"class":211},[205,788,239],{"class":211},[205,790,791,793,795,797,799],{"class":207,"line":242},[205,792,218],{"class":211},[205,794,247],{"class":221},[205,796,225],{"class":211},[205,798,228],{"class":211},[205,800,801],{"class":211}," {}\n",[205,803,804],{"class":207,"line":257},[205,805,344],{"class":211},[101,807,808,809,812],{},"The CRL is returned as a base64-encoded DER blob and stored in ",[112,810,811],{},"crl.pem"," in the data directory.",[814,815,816],"style",{},"html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}",{"title":114,"searchDepth":215,"depth":215,"links":818},[819,820,828,829,833],{"id":98,"depth":215,"text":99},{"id":177,"depth":215,"text":178,"children":821},[822,824,826],{"id":182,"depth":242,"text":823},"generate — full key generation",{"id":347,"depth":242,"text":825},"sign — external CSR",{"id":457,"depth":242,"text":827},"register — node self-registration",{"id":467,"depth":215,"text":468},{"id":550,"depth":215,"text":551,"children":830},[831,832],{"id":554,"depth":242,"text":555},{"id":686,"depth":242,"text":687},{"id":757,"depth":215,"text":758},"How certificates are created, renewed, and revoked in uPKI CA.","md",null,{},true,{"title":41,"description":834},"JScU0edv4Sr70kUbs9t7lD512ykMl9ujJM5Y78-UQls",[842,844],{"title":37,"path":38,"stem":39,"description":843,"children":-1},"How uPKI CA is structured internally and how it communicates with the outside world.",{"title":45,"path":46,"stem":47,"description":845,"children":-1},"How uPKI CA protects the root of trust.",1775569478524]