certEP | certLife | certACME certPushcertBox | certMode

certLife – Certificate Lifecycle Management

certLife is a Windows service for certificate lifecycle management within the Secardeo TOPKI platform. All certificates of a PKI are stored and managed efficiently in a central SQL database. The certLife web frontend is used to perform central administration tasks by a certificate manager. In addition, certLife provides a convenient self-service for users and server administrators via web browser.

What is a Certificate Lifecycle?

A digital certificate is issued by a certification authority (CA). The lifecycle of a digital certificate is usually divided into three phases, from the creation or enrollment of the certificate to the use of the certificate until its cancellation.

Each task during a phase may vary based on certificate type, certification policy, and individual requirements.

Management of digital certificates

X.509 Certificate Enrollment:
Local or central Generation of a Public/Private Key Pair- Submitting a Certificate Request (CSR) to the Registration Authority (RA) – optional Request Approval by RA Operator – Certificate Issuance by Issuing CA – Encrypted Key Archival – Encrypted Key Distribution – Certificate Publication

X.509 Certificate Usage:
Certificate Retrieval from Directory for encrypting data – Certificate Chain Validation (CRL or OCSP) – Using public and private keys for Signing, Encrypting or Decrypting – Key Recovery by authorized Decryption

X.509 Certificate Cancellation:
Certificate Revocation by CA – optional Certificate Suspension by CA – Certificate Expiration due to “not after” parameter – Certificate Renewal with existing or new key pair

What are the benefits of managing certificates with certLife?

  • Convenient certificate management via web browser
  • Support for multiple private or public CAs
  • Seamless integration with Active Directory
  • Support for any type of certificate, e.g. SSL/TLS, S/MIME, …
  • Use of Windows certificate templates
  • Administration of additional metadata
  • Role-based access using AD credentials
  • Intuitive search and filtering of certificates
  • Request, approve, publish certificates …
  • Archive and recover private keys
  • Self-service for users and administrators
  • Key pair generation centrally or at the client
  • Autoenrollment for centrally generated keys
  • Status notifications
  • Reporting and statistics
  • REST API for integration of enterprise apps

How can you easily manage certificates with a browser?

The administration of the certificates of an organization with certLife is carried out comfortably and clearly over a Web browser. The certificate search form is a basic PKI management feature. With certLife, this search can be intuitively restricted to certificate templates or certain attributes, attribute values and states of the certificate. In addition, there is the possibility of adding additional administration information beyond the attributes contained in the certificate itself and also of searching for them. Archived private keys are reliably recovered by a Key Recovery Agent and, in combination with certPush, securely transmitted to the user.

Management of digital certificates

When do you need a certificate self-service?

Secardeo certLife offers a certificate self-service for users and server administrators. The certificate operations on the web GUI are available based on the Windows Authentication (Kerberos) and the roles of the user. A normal user can for example request, renew, revoke or recover his certificates or download the complete key history. A web server administrator can request an SSL/TLS certificate either by pasting a CSR generated on his server or simply by choosing the required attributes with a few clicks and enforcing a key generation and CSR by certLife. By using standard Windows certificate template features the certificate manager may also define required workflow steps like certificate request approval. This can then be performed by a user with the role Approver.

Where are key pairs generated?

certLife supports several generation models for private and public key pairs. Depending on the client, security policies and organizational issues, these can be generated locally at the client or centrally by the certLife service. This can be done manually by the user or administrator or automatically:

Key pair generation on the client

  • Windows (auto) enrollment via certEP
  • Mobile Device Enrollment via SCEP
  • Linux Certificate Enrollment via SCEP (for example with certX Agent)
  • PKCS#10 certificate request for (web) server


Central key pair generation by certLife

  • Convenient template-based request via the web GUI by the user
  • Extended request via a web form by an administrator
  • Manual download of private keys in standard PKCS#12 format
  • Automated process controlled by AD groups
  • Automated key distribution with certPush

With the central Certificate Autoenrollment, for example, mobile-only users who do not have a Windows computer can be automatically provided with certificates.

How can a user have access to all his digital certificates on any computer?

A user needs his S/MIME certificate and private key on all his Windows workstations. Furthermore, in order to decrypt old e-mails he needs access to his expired certificates with the complete key history. With the additional software component certWin Client, the local Windows certificate store of the logged-in user is automatically synchronized with the complete key history from the central TOPKI key archive via certLife REST API. This also happens when logging on to other Windows systems, so that the user always has access to all encrypted e-mails regardless of the workstation and can digitally sign and encrypt new e-mails without any effort.