Skip to main content

Certificates

The Certificates page lists every certificate issued or managed by CertForge — domain certificates (ACME, enrollment), client authentication certificates, and any cert obtained through the API or cert-manager.

Enrolling a certificate

Via dashboard

  1. Go to Certificates → Enroll New
  2. Fill in:
    • Name — a human-readable label (e.g. sbc1.example.com)
    • Domains — the SANs the certificate should carry
    • Trust Profile — the DTP that governs issuance
    • Environmentproduction, staging, development
    • Justification — required if the DTP requires approval
  3. Submit — the request enters the approval queue or is issued immediately depending on DTP policy

Via mTLS API (automated)

Endpoints that already hold a valid client certificate can self-enroll via the API:
The first enrollment (bootstrapping) requires either a pre-issued client certificate or a one-time enrollment token generated by an admin.

Certificate lifecycle

Automatic renewal

The renewal scheduler checks certificates daily. When a certificate is within the renewal window (default: 30 days before expiry), a renewal request is submitted automatically. If the DTP requires approval, an approver must act before the certificate is re-issued. Configure the renewal window in Admin → Settings.

Manual renewal

Go to Certificates, find the entry, and click Renew. This submits a new enrollment request identical to the original.

Revocation

Revoking a certificate immediately adds it to the CA’s Certificate Revocation List (CRL). Services that check the CRL will reject the certificate. To revoke: Certificates → [entry] → Revoke and provide a revocation reason. Revocation reasons (per RFC 5280):
  • key_compromise — private key may be exposed
  • ca_compromise — issuing CA is compromised
  • affiliation_changed — endpoint no longer belongs to this org
  • superseded — replaced by a new certificate
  • cessation_of_operation — endpoint decommissioned

ACME clients

Systems running a standard ACME client (certbot, acme.sh, Caddy, Traefik) can point their ACME directory URL at CertForge’s built-in ACME server:
CertForge intercepts the ACME order, applies DTP policy, routes through the approval queue if required, and fulfills the order from the configured CA. The ACME client receives a standard certificate — no changes required in the client.

Certificate list columns