Relationship between certificate requests and certificates
PKI Services maintains
two databases:
- The request database (RDB), also called the object store
- The issued certificate list (ICL)
- After a request is approved, there is no way for you to un-approve a request. If you mistakenly approve a request that you meant to reject, you should immediately delete the RDB entry. This prevents the user from retrieving the certificate. You should then search the issued certificates to see if the certificate has been issued. If it has, you should revoke it in case the user has already picked it up.
- Revoking a certificate (an ICL action) has no effect on its matching RDB entry. If you revoke a certificate, you should also delete its matching RDB entry if it exists. This prevents the user from retrieving the certificate, if the user has not already done so.
- You can delete RDB entries any time after they have been completed to save space in the database if you want.
- Under normal circumstances, ICL entries should not be deleted. If you delete an ICL entry, you are no longer able to revoke or renew the certificate.
- You can delete entries in any state in either database to clean up error conditions.