Pre-Certificate Maintenance Service
ENTERPRISE
The Pre-Certificate Maintenance Service is useful when Certificate Transparency (CT) is being used. It detects when a pre-certificate has been issued, but the final certificate did not get issued. In such cases, it revokes the pre-certificate, if the associated checkbox is enabled in the configuration of the service, otherwise the pre certificate will be transferred and persisted in the CertificateData table. This can happen, for example, if there is a power outage after the pre-certificate has been generated, but before the final certificate has been written to the database.
Without the Pre-Certificate Maintenance Service, the serial numbers of the affected pre-certificates will be considered non-existent by EJBCA. As such, they will, with the default settings, return Unauthorized from OCSP.
The Pre-Certificate Maintenance Service is only needed when using CT in certificates. It is not needed when CT is only used in OCSP responses or TLS extensions.
The following lists configurable fields:
Field | Description |
---|---|
Consider issuance failed after | Pre-certificates without a final certificate will be considered to have failed issuance, and be revoked, after this amount of time. Do not set the value lower than the maximum time it could possibly take to issue a certificate (excluding publishing). |
Revoke pre-certificates | Normally it is not checked, but if checked the behaviour of the service will fall back to old way of reovking and deleting the pre certificates which exist in IncompleteIssuanceJournalData table. The option will be enabled for the services created before EJBCA 8.3. |