Skip to content

Certificate Lifecycle Management

Overview

MazeVault provides complete certificate lifecycle management covering issuance, deployment, rotation, monitoring, and revocation. This guide explains how MazeVault manages certificates across multi-datacenter, hybrid cloud, and on-premise environments.

Certificate Lifecycle Stages

graph TD
    A["1: REQUEST & ISSUE<br/>Key Generation"] --> B["2: DEPLOY<br/>Install on Server"]
    B --> C["3: MONITORING<br/>Availability Check"]
    C --> D{"APPROACHING<br/>EXPIRY?"}
    D -->|"STATUS OK"| C
    D --> E["4a: RENEWAL<br/>Automatic Rotation"]
    E --> B
    C --> F{"SECURITY<br/>INCIDENT?"}
    F --> G["4b: REVOCATION<br/>CRL Invalidation"]
    G --> H["RE-ISSUE<br/>New Keys"]
    H --> B

    classDef request fill:#EBF5FB,stroke:#2196F3,stroke-width:2px,color:#1565C0
    classDef active fill:#E8F5E9,stroke:#4CAF50,stroke-width:2px,color:#2E7D32
    classDef warning fill:#FFF8E1,stroke:#FF9800,stroke-width:2px,color:#E65100
    classDef danger fill:#FFEBEE,stroke:#F44336,stroke-width:2px,color:#C62828

    class A,H request
    class B,C active
    class D,E warning
    class F,G danger

1. Certificate Issuance

Certificates are issued through Certificate Templates that define:

  • Key Algorithm: RSA (2048, 4096), ECDSA (P-256, P-384), Ed25519
  • Validity Period: Configurable days with min/max constraints
  • Subject Template: CN, O, OU, L, ST, C with pattern enforcement
  • SAN Configuration: DNS names, IP addresses, email, URIs
  • Key Usage: Digital Signature, Key Encipherment, etc.
  • Extended Key Usage: Server Auth, Client Auth, Code Signing, etc.

Templates are managed in Project Settings → Certificate Authorities and bound to projects.

2. Certificate Deployment

After issuance or renewal, certificates are deployed to targets via the Rotation & Deployment tab:

Target Type Description Use Case
Secret Manager Azure Key Vault, AWS Secrets Manager, HashiCorp Vault Cloud-native applications
Kubernetes Secret TLS or Opaque secrets in K8s clusters Containerized workloads
Agent Keystore JKS, PKCS12, Windows Certificate Store Java applications, WebLogic, IIS
Agent File PEM files on filesystem Nginx, Apache, custom applications
Database Wallet Oracle OCI wallet Oracle Database TCPS connections

3. Certificate Monitoring

MazeVault continuously monitors certificate expiry:

  • Dashboard: Certificate expiry overview with 30/60/90 day warnings
  • Notifications: Email, Slack, Teams, Jira alerts for expiring certificates
  • Compliance Reports: SOC 2, PCI DSS, GDPR, ISO 27001 compliance status

4. Certificate Rotation

Automatic rotation is configured per certificate:

  • Renewal Lead Days: How many days before expiry to trigger renewal
  • Schedule: Cron expression for rotation check frequency
  • Retry Policy: Max attempts and delay between retries
  • Post-Deployment Actions: Service restarts, webhook calls, Spring Actuator refresh

5. Certificate Revocation

When a certificate is compromised:

  1. Revoke via the certificate detail view
  2. CRL is automatically regenerated
  3. OCSP responder is updated
  4. Linked systems are notified

Compliance Mapping

Requirement Framework MazeVault Feature
Key Generation PCI DSS 3.6.1 Certificate Templates with algorithm constraints
Key Distribution PCI DSS 3.6.3 Agent-based deployment with mTLS
Key Rotation PCI DSS 3.6.4, SOC 2 CC6.8 Automated rotation with configurable schedule
Key Destruction SOC 2 CC6.5 Archive with permanent delete
Key Compromise PCI DSS 3.6.8, SOC 2 CC7.4 Revocation + CRL/OCSP
Audit Trail SOC 2 CC7.3, GDPR Art. 30 Full audit logging
Monitoring SOC 2 CC7.1 Expiry monitoring with alerts

Generating Compliance Reports

Navigate to System Outputs → Compliance Reports to generate structured compliance reports:

  1. Select the compliance framework (PCI DSS, SOC 2, GDPR, ISO 27001)
  2. Click Generate Report
  3. Review per-control compliance status, evidence, and recommendations
  4. Export as PDF for auditors

Best Practice

Generate compliance reports monthly and before any audit. The report includes certificate inventory, rotation success rates, and password policy compliance.