PKI Services maintains two databases:
- The request database (RDB), also called the object store
- The issued certificate list (ICL)
RDB records are temporary in nature. They exist only to
track active requests.
PKI Services automatically removes these records
when they are complete or go inactive. ICL records are permanent.
Requests for certificates (both new and renewal) are stored in the
RDB. Once approved, a matching certificate is created from the request
and stored in the ICL. (Note, the creation of the certificate might
not be instantaneous.) At this point, the two database records, though
related, exist independently of each other.
- After a request is approved, there is no way for you to un-approve a request. If you mistakenly approve
a request that you meant to reject, you should immediately delete
the RDB entry. This prevents the user from retrieving the certificate.
You should then search the issued certificates to see if the certificate
has been issued. If it has, you should revoke it in case the user
has already picked it up.
- Revoking a certificate (an ICL action) has no effect on its matching
RDB entry. If you revoke a certificate, you should also delete its
matching RDB entry if it exists. This prevents the user from retrieving
the certificate, if the user has not already done so.
- You can delete RDB entries any time after they have been completed
to save space in the database if desired.
- Under normal circumstances, ICL entries should not be deleted.
If you delete an ICL entry, you will no longer be able to revoke or
renew the certificate.
- You can delete entries in any state in either database to clean
up error conditions.