Skip to main content

Certificates pages

A screen-by-screen tour of the certificate list (filters, CSV export, bulk renew), the four-step issue wizard, and the detail page with its action buttons, risk panel, timeline, dependency graph, and Distributions tab. For the concepts behind the screens, follow the cross-links — this page is about what you see and click.

Open it from the top menu: Certificates. The page is project-scoped.

The certificate list

Header controls

  • Search box — free-text search across certificates.
  • Status filter — Active · Pending · Expired · Revoked · Renewal Failed.
  • Issuer filter — ACME · MSCA.
  • Expires in filter — 7 / 30 / 60 / 90 days.
  • A Clear button appears when any filter or search is active, and a blue N filters active tag next to the title keeps count.
  • Export CSV — opens the CSV export endpoint in a new tab, honouring the current search term.
  • Refresh — immediate refetch.
  • Issue Certificate — opens the issue wizard. Disabled with a Certificate limit reached tooltip when your license/plan limit is hit.

Filters can also arrive pre-set via URL parameters (?status=, ?issuer_type=, ?expires_in_days=) — links from the dashboard use this.

Columns

ColumnContent
NameCertificate name. Sortable.
Primary DomainFirst domain on the certificate. Sortable.
StatusColoured status tag (active, pending, issuing, awaiting validation, renewal failed, expired, revoked, …). An orange Dist. Pending tag is appended when a renewed artifact has not been distributed yet.
IssuerACME (blue) or MSCA (purple) tag plus the issuer CN.
Key Typee.g. ECDSA-P256, RSA-2048.
DNSManual (manual DNS validation) or Auto.
Auto RenewOn / Off tag.
ExpiresDays-left tag — red at ≤ 7 days, orange at ≤ 30, hover for the exact timestamp. Sortable.
ActionsRenew (active certificates only, with confirmation) and Delete (with confirmation; blocked with an explanation if other resources depend on it).

Clicking a row opens the detail page.

Bulk renew

Each row has a checkbox. Selecting rows reveals a bulk-action bar with the selection count, a Renew Selected button, and Clear:

  1. Select the certificates and click Renew Selected.
  2. Confirm in the dialog — a bulk action job fans out one renewal per certificate.
  3. A progress bar tracks succeeded + failed / total while it runs.
  4. On completion you get a success toast, or — if some renewals failed — a Bulk Action Results modal listing each failed certificate with its error (long lists may be truncated).

Mechanics, idempotency, and limits: Bulk renew.

The issue wizard

Certificates → Issue Certificate opens a four-step wizard: Certificate Source → Domains → Options → Confirm. When a certificate policy is enabled, each step shows grey Policy hint chips (allowed issuers, SAN patterns, key types, …) and validates your input live.

Step 1 — Certificate Source

  • Certificate Name (required) — friendly name used in dashboards, logs, and distribution references. If a policy naming pattern exists and the name doesn't match, an inline warning shows the expected regex.
  • Description / Owner — optional metadata; owner defaults to you.
  • Issuer TypeACME or Microsoft CA radio. Options disallowed by policy are greyed out.

For ACME:

  • ACME Account (required) — searchable select showing name, CA provider, and environment. Accounts excluded by policy are disabled. See ACME accounts.
  • Organization — appears once an account is selected. Required for OV/EV accounts (organization details go into the certificate Subject); optional for DV, with a warning that most public CAs strip organization fields from DV certificates. For EV accounts the wizard flags missing EV fields (business category, jurisdiction, registration number) on the selected organization before you can sensibly proceed.
  • DNS Validation MethodAutomatic (DNS Provider) or Manual (create TXT records yourself). See Manual DNS challenge.

For Microsoft CA:

  • MSCA Connection (required) — active connections only (AD CS).
  • Certificate Template (required) — templates synced from the connection. Warnings appear if the connection has no synced templates or the template cache is older than 30 days.

Step 2 — Domains

  • Zone (required for automatic DNS validation) — the DNS zone used for the ACME challenge; must have a linked DNS credential (Zones). Hidden for manual DNS and MSCA.
  • For manual DNS an info box explains that the required TXT records will be shown on the certificate detail page after submitting.
  • Domains — comma-separated; the first domain is primary; *.domain.com wildcards are supported. Policy SAN rules are checked live: each denied or not-allowed domain is listed under the field, and exceeding the max SAN count is flagged.

Step 3 — Options

  • Key Type — ECDSA P-256 (recommended), ECDSA P-384, RSA 2048/3072/4096. Default comes from Settings → General (certificate defaults); policy-disallowed types are greyed out.
  • Auto Renew — on by default. Forced off (and locked) for manual-DNS certificates; forced on (and locked) when policy requires auto-renew.
  • Renewal Mode (ACME with automatic DNS only) — Custom Threshold or ARI (CA-Suggested). MSCA always uses Custom (an info box says so). With ARI the threshold below becomes a fallback.
  • Renewal Threshold (days) — 1–90, default from general settings.
  • Key Rotation PolicyReuse key or Rotate key on each renewal.

Renewal semantics: Renewal.

Step 4 — Confirm

A summary of everything you chose. Click Issue Certificate:

  • Preflight warnings — if the backend flags issues, a modal lists them and asks you to Proceed Anyway or cancel.
  • Approval required — if issuance is gated for your role, an approval request is created instead and you're redirected to My Requests.
  • Otherwise you land on the certificate detail page while the issuance job runs. Follow it live from the job detail.

Policy violations that slip past the live checks are rejected server-side with structured errors (Policy engine). The full issuance flow: Issuance.

The detail page

Action buttons

The header row shows Back plus context-dependent actions:

ButtonShown whenNotes
Downloadstatus is active or revokedDropdown of formats: Full Bundle (.pem), Certificate (.crt), Full Chain, Chain, Private Key, PFX, DER, JKS, or Download All Files (zip). PFX/JKS first ask for an optional password (and alias for JKS), then show a one-time password modal — the password is not stored. May require approval (Download).
Manual Renewstatus is active, renewal_pending, or renewal_failed, and validation is not manual DNSDisabled with an Over certificate limit tooltip when the plan limit blocks renewals.
Re-issuemanual-DNS certs in active/renewal_failed/expired; stuck pending/awaiting_validation certs with an error; MSCA certs in msca_pending_expired/renewal_failed/expiredRequests a fresh issuance (Reissue).
Revokestatus is active or expired, ACME onlyOpens a modal with an irreversibility warning; you must type REVOKE to enable the button (Revoke).

Renew, Reissue, Revoke, and Download all detour to the approval workflow when gated — you're redirected to My Requests.

Status banners

Depending on state, alert banners appear above the overview: awaiting approval (links to My Requests), rejected (with the reviewer's reason), DNS cleanup failed (leftover _acme-challenge TXT records), MSCA pending CA approval (polled automatically), MSCA pending request expired (with a Retry Issuance button), and expiry warnings — red at ≤ 7 days with a Renew Now button (or an Auto-renew enabled tag), yellow at 8–30 days.

Overview card

A bordered descriptions table: status, key type, primary domain, all domains (collapsed past 5), DNS validation (credential name + provider, or Manual DNS), issued/expires timestamps with a days-left tag, SHA-256 fingerprint and serial number (copyable), owner, description, issuer CN, and — depending on issuer type — the ACME account (provider, staging tag) or the MSCA connection, template, and CA request ID. When available it also shows OCSP status (with last-check time and revocation source), a Distribution Pending tag, next renewal time, and the last error. The pencil icon edits owner and description.

Risk Assessment

A card under the overview. A healthy certificate shows a green Healthy state with an expandable Checks Performed list; anything else shows a circular score (0–100), a level tag (LOW/MEDIUM/HIGH/CRITICAL), the weighted Risk Factors, and informational Attention Signals. Scoring model: Risk scoring.

Manual DNS challenges

For manual-DNS certificates in awaiting_validation, a DNS Challenges card lists the TXT records to create (copyable name and value, per-record expiry, plus the ACME order deadline). Use Check Propagation to query three public resolvers per record — each row shows Propagated, Partial, Mismatch, or Not found. Tick I have created the TXT records, then Validate DNS Records to enqueue validation. See Manual DNS challenge.

Renewal Policy card

Auto-renew switch (read-only), renewal mode (ARI or custom threshold), threshold days, the ARI window and last ARI check (ARI mode), key rotation policy, rotate-every-N counter, and renewal attempts used vs max.

Tabs

The bottom card has six tabs:

  • Jobs — recent jobs for this certificate (type, status, attempts, triggered by, duration, error) with a Retry button on failed/dead rows; click a row for the full job detail.
  • Certificates — artifact history (which PEM is current, created dates).
  • Keys — private-key history with type and fingerprint; relevant with the rotate key policy.
  • Distributions — see below.
  • Dependency Graph — see below.
  • Timeline — the certificate event stream: coloured tags per event type (requested, issued, renewed, distributed, failed, …) with message, timestamp, and job/host/error-code chips; Load More pages backwards. Event catalogue: Timeline events.

Distributions tab

Links this certificate to distribution modules and runs deliveries. A compact summary strip above the tabs also counts linked modules by last result (success / partial / failed / pending).

  • Link Module — pick an enabled module config (Distribution primitives), toggle Enabled (disabled links are skipped by both automatic and manual runs), and — for SSH, Kubernetes, and Vault — optionally Auto Rollback on Failure.
  • Each linked row shows the module type tag and name, a schedule badge, the last status, last-distributed time, and the last error.

Status tags: Not executed, Running, success, partial (with an ok/skipped/failed breakdown), failed — plus a fingerprint comparison tag: current (deployed artifact matches this certificate) or outdated (a newer artifact hasn't been pushed yet). While a large distribution fans out, a n/m batches progress indicator appears with a retrying tag when failed targets are being retried automatically (Fan-out).

Per-row actions:

  • Auto-distribute switch — enables/disables automatic distribution after renewals (manual Run still works when off).
  • Schedule (clock icon) — opens the schedule editor for maintenance-window distribution.
  • Run — executes distribution to all targets (confirmation dialog). The page polls faster for the next 30 seconds so results appear quickly.
  • Dry Run — no changes made; a modal shows per-target reachability, the planned actions (upload/update/exec) per target, warnings, and — for IIS — the discovered HTTPS bindings and app pools.
  • Rollback — only shown when the backend holds rollback metadata for the last run (Rollback).
  • Job — jumps to the last (or currently running) distribution job.
  • Unlink — removes the link; future distributions skip this module.

Expanding a row reveals the per-target results table (filterable All / Failed / Changed / Skipped): target name and type, status (including retry pending), post-deploy action and exit code, duration, error with a code-specific hint, post-distribution validation results (expand a target for per-endpoint detail), warnings, raw execution detail, and a link to the target's job.

Dependency Graph tab

An interactive Graph / Table view of everything this certificate depends on and delivers to: ACME account or MSCA connection, zone and DNS credential, organization, distributions, module configs, targets and target groups, module credentials, path sets and action sets — with broken references highlighted as Missing Ref nodes and per-target distribution status colouring. Concept and use-cases: Dependencies.

See also