Certificate Management

PKI Operations — Request, Revoke, Import, Export, and CRL Management

Document Version: 1.0.0
Last Updated: 2026-02-10

---

1. Certificate Lifecycle

graph LR
    A["📝 Request<br/>(CSR)"] --> B["⏳ Approval"]
    B --> C["✅ Issuance"]
    C --> D["🔒 Active"]
    D --> E["🔄 Renewal"]
    E --> C
    D --> F["❌ Revocation"]
    F --> G["📜 CRL Update"]
    D --> H["⏰ Expiration"]

    classDef request fill:#EBF5FB,stroke:#2196F3,stroke-width:2px,color:#1565C0
    classDef active fill:#E8F5E9,stroke:#4CAF50,stroke-width:2px,color:#2E7D32
    classDef warning fill:#FFF8E1,stroke:#FF9800,stroke-width:2px,color:#E65100
    classDef danger fill:#FFEBEE,stroke:#F44336,stroke-width:2px,color:#C62828

    class A,B request
    class C,D active
    class E,H warning
    class F,G danger

2. Requesting a Certificate

Via Web Interface

1. Navigate to Certificates → Request Certificate
2. Choose a Certificate Template or configure manually:

Template	Key Usage	Extended Key Usage	Typical Validity
Web Server	Digital Signature, Key Encipherment	Server Authentication	1 year
Client Auth	Digital Signature	Client Authentication	1 year
Code Signing	Digital Signature	Code Signing	2 years
Email (S/MIME)	Digital Signature, Key Encipherment	Email Protection	1 year

1. Fill in the subject information:
2. Common Name (CN): Primary domain or identifier
3. Subject Alternative Names: Additional domains and IPs
4. Organization, Country, etc.: As required by your policy
5. Select the Issuing CA
6. Click Submit Request

Via API

curl -X POST https://vault.example.com/api/v1/certificates/csr \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "common_name": "api.example.com",
    "san_dns": ["api.example.com", "api-internal.example.com"],
    "key_type": "RSA",
    "key_size": 2048,
    "ca_id": "ca_root001",
    "project_id": "proj_abc123",
    "template": "web_server"
  }'

3. Certificate Approval

Depending on your organization's policy:

Policy	Behavior
Auto-approve	Certificate issued immediately after request
Admin approval	Certificate enters pending_approval state; an administrator must approve
Manager approval	Project manager can approve certificates for their project

Approving a Request

1. Navigate to Certificates → Pending Requests
2. Review the certificate details
3. Click Approve or Reject

4. Revoking a Certificate

When to Revoke

• Private key has been compromised
• Certificate holder's affiliation has changed
• Certificate has been superseded by a new one
• Service using the certificate has been decommissioned

Revocation Procedure

1. Navigate to Certificates → Active and find the certificate
2. Click Revoke
3. Select a Revocation Reason (RFC 5280):
4. keyCompromise — Private key is compromised
5. affiliationChanged — Subject's affiliation changed
6. superseded — Replaced by a new certificate
7. cessationOfOperation — Service decommissioned
8. certificateHold — Temporary hold (can be unreleased)
9. Add an optional comment
10. Click Confirm Revocation

The CRL is automatically regenerated after revocation.

Unrevoking a Certificate

Certificates revoked with reason certificateHold can be unreleased:

1. Navigate to Certificates → Revoked and find the certificate
2. Click Unrevoke
3. Confirm the action

5. Importing Certificates

Single Certificate Import

1. Navigate to Certificates → Import
2. Upload or paste:
3. Certificate (PEM format, required)
4. Private Key (PEM format, optional)
5. CA Chain (PEM format, optional)
6. Select the target project
7. Click Import

Bulk Import (PEM Bundle)

1. Navigate to Certificates → Import → Bulk Import
2. Upload a PEM bundle containing multiple certificates
3. Select the target project
4. Click Import

The system parses the bundle, identifies individual certificates, and imports them with automatic chain detection.

6. Exporting Certificates

Export Formats

Format	Extension	Includes Key	Use Case
PEM	.pem, .crt	Optional	Linux/Unix servers, Apache, Nginx
DER	.der, .cer	No	Java applications, Windows
PKCS#12	.p12, .pfx	Yes (password-protected)	Windows, Java KeyStore import

Export Procedure

1. Navigate to the certificate detail page
2. Click Export
3. Select format and options:
4. Include CA chain
5. Include private key (requires certificates.export_key permission)
6. Set password (for PKCS#12)
7. Download the file

Private Key Export

Exporting a certificate with its private key is a security-sensitive operation recorded in the audit log. Ensure the private key is transferred securely.

7. ACME Certificate Automation

MazeVault includes a built-in ACME server (RFC 8555) that enables automated certificate issuance directly from Kubernetes using cert-manager.

Quick Overview

1. Generate EAB credentials in MazeVault (Organization Settings → ACME Access)
2. Create a Kubernetes Secret with the HMAC key
3. Deploy a ClusterIssuer pointing to your MazeVault ACME directory
4. Annotate Ingresses or create Certificate resources — cert-manager handles the rest

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: mazevault-issuer
spec:
  acme:
    server: https://vault.example.com/api/acme/directory
    externalAccountBinding:
      keyID: "YOUR_EAB_KEY_ID"
      keySecretRef:
        name: mazevault-eab-secret
        key: secret
    privateKeySecretRef:
      name: mazevault-acme-account-key
    solvers:
      - http01:
          ingress:
            ingressClassName: nginx

Internal domains (.local, .internal, .lan, .corp) are auto-approved without HTTP-01 challenge.

Full ACME Guide

For step-by-step instructions, YAML examples, ACME profiles, and troubleshooting, see the dedicated ACME Certificate Automation Guide.

---

8. CRL Management

Certificate Revocation List (CRL)

MazeVault generates CRLs automatically when certificates are revoked. CRLs are available at:

Format	URL
DER	https://vault.example.com/api/v1/crl
PEM	https://vault.example.com/api/v1/crl/pem

CRL Distribution Point

Configure the CRL Distribution Point in your certificates to point to your MazeVault CRL URL. This is automatically included in certificates issued by MazeVault CAs.

Force CRL Regeneration

If needed, regenerate the CRL manually:

1. Navigate to Certificates → CRL
2. Click Regenerate CRL
3. Select type: Full or Delta

8. OCSP Validation

OCSP provides real-time certificate status checking as an alternative to CRL:

Feature	CRL	OCSP
Real-time	❌ (periodic generation)	✅
Bandwidth	Higher (full list)	Lower (per-certificate)
Privacy	Client downloads all	Client queries specific cert
Offline support	✅ (cached CRL)	❌ (requires connectivity)

OCSP URL

https://vault.example.com/ocsp

Testing OCSP

openssl ocsp \
  -issuer ca.pem \
  -cert server.pem \
  -url https://vault.example.com/ocsp \
  -noverify

Related

• Certificates API — API reference
• Secrets Management — Managing secrets
• TLS Configuration — TLS setup