Certificate Management

PKI Operations — Request, Revoke, Import, Export, and CRL Management

Document Version: 1.2.0
Last Updated: 2026-06-14

---

1. Certificate Lifecycle

graph LR
    A["📝 Request<br/>(CSR)"] --> B["⏳ Approval"]
    B --> C["✅ Issuance"]
    C --> D["🔒 Active"]
    D --> E["🔄 Renewal"]
    E --> C
    D --> F["❌ Revocation"]
    F --> G["📜 CRL Update"]
    D --> H["⏰ Expiration"]

    classDef request fill:#EBF5FB,stroke:#2196F3,stroke-width:2px,color:#1565C0
    classDef active fill:#E8F5E9,stroke:#4CAF50,stroke-width:2px,color:#2E7D32
    classDef warning fill:#FFF8E1,stroke:#FF9800,stroke-width:2px,color:#E65100
    classDef danger fill:#FFEBEE,stroke:#F44336,stroke-width:2px,color:#C62828

    class A,B request
    class C,D active
    class E,H warning
    class F,G danger

2. Requesting a Certificate

Via Web Interface

1. Navigate to Certificates → Request Certificate
2. Choose a Certificate Template.

Template	Key Usage	Extended Key Usage	Typical Validity
Web Server	Digital Signature, Key Encipherment	Server Authentication	1 year
Client Auth	Digital Signature	Client Authentication	1 year
Code Signing	Digital Signature	Code Signing	2 years
Email (S/MIME)	Digital Signature, Key Encipherment	Email Protection	1 year

1. Select a request source:
2. Upload CSR when your tooling already generated the private key and CSR.
3. Generate in MazeVault when MazeVault should create the private key and CSR.
4. Generate in Azure Key Vault when the key must remain inside Azure Key Vault and only the CSR is exposed for signing.
5. Fill in the request details:
6. Common Name (CN): Primary domain or identifier.
7. Template subject fields: Review the subject attributes inherited from the template.
8. Additional SANs: Add allowed DNS, IP, email, or URI SAN entries as permitted by the template.
9. Key custody: For MazeVault-generated requests, keep the key in MazeVault or store it through a configured secret manager integration. For Azure Key Vault generation, select the Azure Key Vault integration that will own the key.
10. Submit the request. Depending on approval policy, the request is either issued immediately or waits for approval.

Via API

curl -X POST https://vault.example.com/api/v1/certificates/csr \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "template_id": "550e8400-e29b-41d4-a716-446655440010",
    "project_id": "550e8400-e29b-41d4-a716-446655440001",
    "requested_cn": "api.example.com",
    "csr_source_mode": "mazevault_generated",
    "requested_san": {
      "dns_names": ["api.example.com", "api-internal.example.com"]
    },
    "requested_subject": {
      "common_name": "api.example.com",
      "organization": "Example Corp"
    },
    "requested_key_algorithm": "RSA",
    "requested_key_size": 2048,
    "key_storage_mode": "local"
  }'

For Azure Key Vault-native generation, set csr_source_mode to azure_key_vault_generated and include key_integration_id for the Azure Key Vault integration that should own the key material.

3. Certificate Approval

Depending on your organization's policy:

Policy	Behavior
Auto-approve	Certificate issued immediately after request
Admin approval	Certificate enters pending_approval state; an administrator must approve
Manager approval	Project manager can approve certificates for their project

Approving a Request

1. Navigate to Certificates → Pending Requests
2. Review the certificate details
3. Click Approve or Reject

4. Revoking a Certificate

When to Revoke

• Private key has been compromised
• Certificate holder's affiliation has changed
• Certificate has been superseded by a new one
• Service using the certificate has been decommissioned

Revocation Procedure

1. Navigate to Certificates → Active and find the certificate
2. Click Revoke
3. Select a Revocation Reason (RFC 5280):
4. keyCompromise — Private key is compromised
5. affiliationChanged — Subject's affiliation changed
6. superseded — Replaced by a new certificate
7. cessationOfOperation — Service decommissioned
8. certificateHold — Temporary hold (can be unreleased)
9. Add an optional comment
10. Click Confirm Revocation

The CRL is automatically regenerated after revocation.

Unrevoking a Certificate

Certificates revoked with reason certificateHold can be unreleased:

1. Navigate to Certificates → Revoked and find the certificate
2. Click Unrevoke
3. Confirm the action

5. Importing Certificates

Single Certificate Import

1. Navigate to Certificates → Import
2. Upload or paste:
3. Certificate (PEM format, required)
4. Private Key (PEM format, optional)
5. CA Chain (PEM format, optional)
6. Select the target project
7. Click Import

Bulk Import (PEM Bundle)

1. Navigate to Certificates → Import → Bulk Import
2. Upload a PEM bundle containing multiple certificates
3. Select the target project
4. Click Import

The system parses the bundle, identifies individual certificates, and imports them with automatic chain detection.

Renewal Preparation After Import

• If an imported certificate is linked to a managed CA account and meets rotation prerequisites, MazeVault can prepare renewal metadata automatically.
• Automatically prepared rotation configurations stay disabled until an operator explicitly enables them. This prevents silent private-key rotation immediately after import.
• The initial renewal lead time is resolved from the effective certificate, template, and CA-account policy hierarchy, so imported certificates inherit the intended renewal window instead of a hidden default.

Per-Certificate Renewal Key Policy

For renewable certificates, you can override key handling on a per-certificate basis:

• Regenerate issues a new private key during renewal.
• Reuse keeps the current key material when the provider, custody mode, and downstream deployment path support reuse.
• Leaving the value unset defers to the template or higher-level policy.

Use Reuse only when downstream systems require key continuity or re-enrollment overhead is unacceptable.

Readiness Review Before Enabling Automation

• Review the Project Rotations view before enabling certificate automation.
• Renewal and deployment resources now expose inline readiness and preflight state.
• Manual Review Required means MazeVault cannot validate a target automatically and an operator should confirm the deployment path before production rollout.

6. Exporting Certificates

Export Formats

Format	Extension	Includes Key	Use Case
PEM	.pem, .crt	Optional	Linux/Unix servers, Apache, Nginx
DER	.der, .cer	No	Java applications, Windows
PKCS#12	.p12, .pfx	Yes (password-protected)	Windows, Java KeyStore import

Export Procedure

1. Navigate to the certificate detail page
2. Click Export
3. Select format and options:
4. Include CA chain
5. Include private key (requires certificates.export_key permission)
6. Set password (for PKCS#12)
7. Download the file

Private Key Export

Exporting a certificate with its private key is a security-sensitive operation recorded in the audit log. Ensure the private key is transferred securely.

7. ACME Certificate Automation

MazeVault includes a built-in ACME server (RFC 8555) that enables automated certificate issuance directly from Kubernetes using cert-manager.

Quick Overview

1. Generate EAB credentials in MazeVault (Organization Settings → ACME Access)
2. Create a Kubernetes Secret with the HMAC key
3. Deploy a ClusterIssuer pointing to your MazeVault ACME directory
4. Annotate Ingresses or create Certificate resources — cert-manager handles the rest

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: mazevault-issuer
spec:
  acme:
    server: https://vault.example.com/api/acme/directory
    externalAccountBinding:
      keyID: "YOUR_EAB_KEY_ID"
      keySecretRef:
        name: mazevault-eab-secret
        key: secret
    privateKeySecretRef:
      name: mazevault-acme-account-key
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx

Internal domains (.local, .internal, .lan, .corp) are auto-approved without HTTP-01 challenge.

Full ACME Guide

For step-by-step instructions, YAML examples, ACME profiles, and troubleshooting, see the dedicated ACME Certificate Automation Guide.

---

8. CRL Management

Certificate Revocation List (CRL)

MazeVault generates CRLs automatically when certificates are revoked. CRLs are available at:

Format	URL
DER	https://vault.example.com/api/v1/crl
PEM	https://vault.example.com/api/v1/crl/pem

CRL Distribution Point

Configure the CRL Distribution Point in your certificates to point to your MazeVault CRL URL. This is automatically included in certificates issued by MazeVault CAs.

Force CRL Regeneration

If needed, regenerate the CRL manually:

1. Navigate to Certificates → CRL
2. Click Regenerate CRL
3. Select type: Full or Delta

8. OCSP Validation

OCSP provides real-time certificate status checking as an alternative to CRL:

Feature	CRL	OCSP
Real-time	❌ (periodic generation)	✅
Bandwidth	Higher (full list)	Lower (per-certificate)
Privacy	Client downloads all	Client queries specific cert
Offline support	✅ (cached CRL)	❌ (requires connectivity)

OCSP URL

https://vault.example.com/ocsp

Testing OCSP

openssl ocsp \
  -issuer ca.pem \
  -cert server.pem \
  -url https://vault.example.com/ocsp \
  -noverify

Related

• Certificates API — API reference
• Secrets Management — Managing secrets
• TLS Configuration — TLS setup