Certificate authority states
This page describes the operational states that apply to certificate authorities (CAs).
Once created, a CA is in one of the following states throughout its lifecycle.
- Awaiting user activation
Subordinate CAs are created in the
AWAITING_USER_ACTIVATION state, and they are set to the
STAGED state after activation.
Root CAs are created in the
STAGED state. A root CA can never be in the
We recommend that you create and test certificates while the CA is still in the
STAGED state. Once you have verified that the CA certificate has been published to all clients and tested certificate issuance from the CA, you can enable the CA to start issuing load-balanced certificates for the CA pool. For information on enabling a CA, see Enabling a CA.
A CA pool cannot issue certificates until it has at least one CA in the
The following table illustrates the properties of a CA in each of the states.
|CA state||Can issue certificates?||Included in CA pool certificate issuance rotation?||Included in CA pool Trust Anchor?||Can revoke certificates and publish CRLs?||Is billed?||Are resources accessible?||Can accept update requests?|
|Awaiting user activation||No||No||No||No||No||Yes||No|
1CAs in the
STAGED state cannot issue certificates through CA pool load-balancing. They can only issue certificates when requested directly by the clients.
- Learn about pricing for CA Service.
- Learn how to manage CA states.
- Learn how to request certificates.