Certificates
The Certificates page lists every certificate issued or managed by CertForge — domain certificates (ACME, enrollment), client authentication certificates, and any cert obtained through the API or cert-manager.Enrolling a certificate
Via dashboard
- Go to Certificates → Enroll New
- Fill in:
- Name — a human-readable label (e.g.
sbc1.example.com) - Domains — the SANs the certificate should carry
- Trust Profile — the DTP that governs issuance
- Environment —
production,staging,development - Justification — required if the DTP requires approval
- Name — a human-readable label (e.g.
- Submit — the request enters the approval queue or is issued immediately depending on DTP policy
Via mTLS API (automated)
Endpoints that already hold a valid client certificate can self-enroll via the API:Certificate lifecycle
Automatic renewal
The renewal scheduler checks certificates daily. When a certificate is within the renewal window (default: 30 days before expiry), a renewal request is submitted automatically. If the DTP requires approval, an approver must act before the certificate is re-issued. Configure the renewal window in Admin → Settings.Manual renewal
Go to Certificates, find the entry, and click Renew. This submits a new enrollment request identical to the original.Revocation
Revoking a certificate immediately adds it to the CA’s Certificate Revocation List (CRL). Services that check the CRL will reject the certificate. To revoke: Certificates → [entry] → Revoke and provide a revocation reason. Revocation reasons (per RFC 5280):key_compromise— private key may be exposedca_compromise— issuing CA is compromisedaffiliation_changed— endpoint no longer belongs to this orgsuperseded— replaced by a new certificatecessation_of_operation— endpoint decommissioned