Skip to main content
Skip table of contents

Pre-Certificate Maintenance Service

ENTERPRISE

The Pre-Certificate Maintenance Service is useful when Certificate Transparency (CT) is being used. It detects when a pre-certificate has been issued, but the final certificate did not get issued. In such cases, it revokes the pre-certificate, if the associated checkbox is enabled in the configuration of the service, otherwise the pre certificate will be transferred and persisted in the CertificateData table. This can happen, for example, if there is a power outage after the pre-certificate has been generated, but before the final certificate has been written to the database.

Without the Pre-Certificate Maintenance Service, the serial numbers of the affected pre-certificates will be considered non-existent by EJBCA. As such, they will, with the default settings, return Unauthorized from OCSP.

The Pre-Certificate Maintenance Service is only needed when using CT in certificates. It is not needed when CT is only used in OCSP responses or TLS extensions.

The following lists configurable fields:

FieldDescription
Consider issuance failed after

Pre-certificates without a final certificate will be considered to have failed issuance, and be revoked, after this amount of time.

(warning) Do not set the value lower than the maximum time it could possibly take to issue a certificate (excluding publishing).

Revoke pre-certificatesNormally it is not checked, but if checked the behaviour of the service will fall back to old way of reovking and deleting the pre certificates which exist in IncompleteIssuanceJournalData table. The option will be enabled for the services created before EJBCA 8.3.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.