> ## Documentation Index
> Fetch the complete documentation index at: https://docs.certgovernance.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Certificates

> How certificates are enrolled, managed, and renewed in CertForge.

# Certificates

The **Certificates** page lists every certificate issued or managed by CertForge — domain certificates (ACME, enrollment), client authentication certificates, and any cert obtained through the API or cert-manager.

## Enrolling a certificate

### Via dashboard

1. Go to **Certificates → Enroll New**
2. Fill in:
   * **Name** — a human-readable label (e.g. `sbc1.example.com`)
   * **Domains** — the SANs the certificate should carry
   * **Trust Profile** — the DTP that governs issuance
   * **Environment** — `production`, `staging`, `development`
   * **Justification** — required if the DTP requires approval
3. Submit — the request enters the approval queue or is issued immediately depending on DTP policy

### Via mTLS API (automated)

Endpoints that already hold a valid client certificate can self-enroll via the API:

```bash theme={null}
curl -X POST https://certforge.example.com/v1/enroll \
  --cert /etc/ssl/client.crt \
  --key /etc/ssl/client.key \
  -H "Content-Type: application/json" \
  -d '{
    "common_name": "sbc1.example.com",
    "domains": ["sbc1.example.com"],
    "environment": "production",
    "justification": "Initial certificate for SBC"
  }'
```

The first enrollment (bootstrapping) requires either a pre-issued client certificate or a one-time enrollment token generated by an admin.

## Certificate lifecycle

```
Enroll → [Approval] → Certificate issued → Certificate in use
                                                    │
                                        ┌───────────┴──────────────┐
                                        │                          │
                                  Renewal (auto)            Revocation
                                        │                          │
                                 New cert issued           CRL updated
```

### Automatic renewal

The renewal scheduler checks certificates daily. When a certificate is within the renewal window (default: 30 days before expiry), a renewal request is submitted automatically. If the DTP requires approval, an approver must act before the certificate is re-issued.

Configure the renewal window in **Admin → Settings**.

### Manual renewal

Go to **Certificates**, find the entry, and click **Renew**. This submits a new enrollment request identical to the original.

## Revocation

Revoking a certificate immediately adds it to the CA's Certificate Revocation List (CRL). Services that check the CRL will reject the certificate.

To revoke: **Certificates → \[entry] → Revoke** and provide a revocation reason.

Revocation reasons (per RFC 5280):

* `key_compromise` — private key may be exposed
* `ca_compromise` — issuing CA is compromised
* `affiliation_changed` — endpoint no longer belongs to this org
* `superseded` — replaced by a new certificate
* `cessation_of_operation` — endpoint decommissioned

## ACME clients

Systems running a standard ACME client (certbot, acme.sh, Caddy, Traefik) can point their ACME directory URL at CertForge's built-in ACME server:

```
ACME directory: https://certforge.example.com/acme/directory
```

CertForge intercepts the ACME order, applies DTP policy, routes through the approval queue if required, and fulfills the order from the configured CA. The ACME client receives a standard certificate — no changes required in the client.

## Certificate list columns

| Column        | Description                                                  |
| ------------- | ------------------------------------------------------------ |
| Name / Domain | Certificate label or primary SAN                             |
| Source        | How it was issued: ACME, API, k8s (cert-manager), enrollment |
| Trust Profile | DTP governing this certificate                               |
| Mode          | Issuance mode                                                |
| Lifecycle     | Current stage: Active, Pending, Expiring, Expired, Revoked   |
| Cert Expiry   | Expiry date                                                  |
| Actions       | Download, revoke, delete                                     |
