Signing Record Store (signingService-SigningRecordStore)
When CSRs are submitted and processed, they will appear underneath the store as Certificate Signing Record instances specific to the requester Id of the requesting component.
The Signing Record Store is available in the signingService palette. To access the properties, expand .
| Property | Value | Description |
|---|---|---|
| Unfulfilled Request Expiration Period | hours, minutes, seconds | Defines the period after which a Pending record will be deleted. |
| Expired Certificate Grace Period | hours, minutes, seconds | Defines the period after which an Expired certificate will continue to service renewal requests. |
| Certificate Alerts Enabled | true or false |
Set to true enables alerts for certificates that are due or have already expired.
|
| Proximity To Certificate Expiration For Alerts | hours, minutes, seconds | Defines the period in which alerts shall be generated for certificates that are due to expire. |
| Alert Generation Time | additional properties | Contains time trigger settings for timings of alert checks. |
| Alarm Source Info | additional properties | Contains properties for configuring certificate alerts. |
Actions
Update Record States: Forces the update of the status of each record in the store.
Generate Alerts: Forces an instant generation of new certificate alerts.
Requester certificate rules
The rules governing requester certificates are as follows:
- The requester Id is unique to each requesting component. There may be several on the same station, or from different stations.
- Each requester can be associated with only a single signing record.
- The certificate record is Pending while the CSR is queued until the request is processed. Then, it becomes Rejected or Active as the certificate is signed and stored.
- Any pending request that is unfulfilled for the
Unfulfilled Request Expiration Periodis automatically removed. The requester must Onboard to the signing service once again. - An active certificate record is required for the requesting component to renew its current certificate. This should be attempted automatically in advance of expiry but can also be requested manually.
- The certificate record will continue to service renewal attempts up to the expiry time of the certificate, plus the
Expired Certificate Grace Period. - After the certificate expiry plus grace period has passed, the expired certificate can no longer service renewal requests and is automatically removed. The requester must Onboard to the signing service once again.
The status for each record in the store is indicated by the icon and status text. The possible states are:
- Pending — The CSR is queued and waiting to be fulfilled.
- Rejected — The CSR failed to be successfully fulfilled. Check the records message property for cause.
- Complete/Active — The CSR was fulfilled, and the certificate is valid.
- Complete/In Grace Period — The CSR was previously fulfilled, the certificate has passed its expiry period, however is in the grace period, so it will
continue to be used to service renewal requests until the
Expired Certificate Grace Periodhas passed. The grace period is applied from the time of certificate expiry.
The Certificate Store also has the ability to generate alerts for various certificate states. Certificates are grouped together into single alerts for each of the following states. They are grouped with those that have also entered that state since the last alert check:
- Those near their expiration; the proximity is configurable.
- Those expired but still in the grace period; this may indicate that auto-renew on the requesting component is failing.
- Those that have expired and been removed since the last alert check.
