Certificate authority states

This page describes the operational states that apply to certificate authorities (CAs).

Once created, a CA is in one of the following states throughout its lifecycle.

  • Enabled
  • Disabled
  • Staged
  • Awaiting user activation
  • Deleted

Subordinate CAs are created in the AWAITING_USER_ACTIVATION state, and they are set to the STAGED state after activation.

Root CAs are created in the STAGED state. A root CA can never be in the AWAITING_USER_ACTIVATION state.

We recommend that you create and test certificates while the CA is still in the STAGED state. Once you have verified that the CA certificate has been published to all clients and tested certificate issuance from the CA, you can enable the CA to start issuing load-balanced certificates for the CA pool. For information on enabling a CA, see Enable a CA.

A CA pool cannot issue certificates until it has at least one CA in the ENABLED state.

The following table illustrates the properties of a CA in each of the states.

CA state Can issue certificates? Included in CA pool certificate issuance rotation? Included in CA pool Trust Anchor? Can revoke certificates and publish CRLs? Is billed? Are resources accessible? Can accept update requests?
Enabled Yes Yes Yes Yes Yes Yes Yes
Disabled No No Yes Yes Yes Yes No
Staged Yes1 No Yes Yes Yes Yes Yes
Awaiting user activation No No No No No Yes No
Deleted No No No No No No No

1CAs in the STAGED state cannot issue certificates through CA pool load-balancing. They can only issue certificates when requested directly by the clients.

What's next