Getting StartedUnderstanding PKICertificate AuthoritiesIssuing CertificatesCertificate LifecycleOCSPACME ProtocolAPI AccessMCP IntegrationWorkspaces

Certificate Lifecycle

Revocation

If a certificate is compromised or no longer needed, revoke it. Revoked certificates are added to the Certificate Revocation List (CRL) published by the CA. If the CA is passphrase-protected, you'll need to provide the passphrase to revoke certificates.

Note: If the CA itself has been revoked, you can still revoke its certificates for record-keeping purposes. However, the CRL will not be regenerated since the CA's CRL endpoint returns 410 Gone — clients should not trust anything from a revoked CA.

Renewal

Renew a certificate before it expires to maintain uninterrupted service. Renewal creates a new certificate with the same parameters and links it to the original for tracking. For passphrase-protected CAs, the passphrase is required for renewal.

CRL (Certificate Revocation List)

Each CA publishes a CRL that lists all revoked certificates. The CRL is cached and automatically updated when certificates are revoked. Configure your services to check the CRL to reject revoked certificates. The CRL endpoint is publicly available at:

GET https://crl.certman.app/{ca_id}.crl

CRLs work automatically for all CAs, including passphrase-protected ones. The CRL is generated when the CA is created and updated on each revocation.

Expiration Tracking

The dashboard shows certificate status and highlights certificates nearing expiration, so you can renew them proactively.