Pre-Certificate Revocation Service

ENTERPRISE This is an EJBCA Enterprise feature.

The Pre-Certificate Revocation Service is useful when Certificate Transparency (CT) is being used. It detects when a pre-certificate has been issued, but the final certificate did not get issued. In such cases, it revokes the pre-certificate. This can happen, for example, if there is a power outage after the pre-certificate has been generated, but before the final certificate has been written to the database.

Without the Pre-Certificate Revocation Service, the serial numbers of the affected pre-certificates will be considered non-existent by EJBCA. As such, they will, with the default settings, return Unauthorized from OCSP.

The Pre-Certificate Revocation Service is only needed when using CT in certificates. It is not needed when CT is only used in OCSP responses or TLS extensions.

images/download/attachments/128977268/pre_cert_revoc_worker.png

The following lists configurable fields:

Field

Description

Consider issuance failed after

Pre-certificates without a final certificate will be considered to have failed issuance, and be revoked, after this amount of time.

images/s/-2y7bau/8703/189cb2l/_/images/icons/emoticons/warning.svg Do not set the value lower than the maximum time it could possibly take to issue a certificate (excluding publishing).