Relationship between certificate requests and certificates

PKI Services maintains two databases:
  • The request database (RDB), also called the object store
  • The issued certificate list (ICL)
RDB records are temporary in nature. They exist only to track active requests. PKI Services automatically removes these records when they are complete or go inactive. ICL records are permanent. Requests for certificates (both new and renewal) are stored in the RDB. Once approved, a matching certificate is created from the request and stored in the ICL. (Note, the creation of the certificate might not be instantaneous.) At this point, the two database records, though related, exist independently of each other.
  • After a request is approved, there is no way for you to un-approve a request. If you mistakenly approve a request that you meant to reject, you should immediately delete the RDB entry. This prevents the user from retrieving the certificate. You should then search the issued certificates to see if the certificate has been issued. If it has, you should revoke it in case the user has already picked it up.
  • Revoking a certificate (an ICL action) has no effect on its matching RDB entry. If you revoke a certificate, you should also delete its matching RDB entry if it exists. This prevents the user from retrieving the certificate, if the user has not already done so.
  • You can delete RDB entries any time after they have been completed to save space in the database if you want.
  • Under normal circumstances, ICL entries should not be deleted. If you delete an ICL entry, you are no longer able to revoke or renew the certificate.
  • You can delete entries in any state in either database to clean up error conditions.
Parent topic: Processing certificates