3.2. Listing Certificate Requests

The Certificate Manager keeps a queue of all certificate service requests that have been submitted to it. The queue records whether a request is pending, completed, canceled, or rejected. Three types of requests can be in the queue:
  • Certificate enrollment requests
  • Certificate renewal requests
  • Certificate revocation requests
A Certificate Manager agent must review and approve manual enrollment requests. Certificate requests that require review have a status of pending.
To see a list of requests:
  1. Go to the Certificate Manager agent services page.
    https://server.example.com:9443/ca/agent/ca

    NOTE

    An agent must have the proper client certificate to access this page.
  2. Click List Requests to view the queue of certificates requests.
    The List Requests form appears.
  3. View certificate requests request type by selecting one of the options from the Request type menu.
    • Show enrollment requests
    • Show renewal requests
    • Show revocation requests
    • Show all requests
  4. View requests by request status by selecting one of the options in the Request status menu.
    • Show pending requests. These are enrollment requests that have not yet been processed but are waiting for manual review.
    • Show canceled requests. These are requests that have been manually canceled by an agent. Users do not receive automatic notification of canceled requests. Cancellation can be useful if the user has left the company since submitting the request or if the user has already been contacted about a problem and does not need to be notified about the request status.
    • Show rejected requests. These are requests that have been either manually rejected or rejected automatically during profile processing. If the system has been configured to provide automatic notifications to users, a notice is sent to the requester when the request is rejected.
    • Show completed requests. These are requests that have been completed, including issued certificates and completed revocation requests.
    • Show all requests. This shows all requests of the selected type, regardless of status.
  5. To start the list at a specific place in the queue, enter the starting request identifier in decimal or hexadecimal form. Use 0x to indicate a hexadecimal number; for example, 0x2A.
  6. Choose the number of matching requests to be returned. When a number is specified, the system displays that number of certificate requests, beginning with the starting sequence number that matches the specified criteria.
  7. Click Find to display the list of requests that match the specified criteria.
    Request Queue

    Figure 3.2. Request Queue


3.2.1. Selecting a Request

To select a request from the queue:
  1. On the agent services page, click List Requests, specify search criteria, and click Find to display a list of certificate signing requests.
  2. Select a request to examine from the Request Queue form.
  3. If a desired request not shown, scroll to the bottom of the list, specify an additional number of requests to be listed, and click Find. That number of additional requests matching original search criteria is shown.
  4. When the request has been found, click Details.
  5. The Request Details form appears, showing detailed information about the selected request. Use this form to approve or manage the request.
    Request Details

    Figure 3.3. Request Details


NOTE

If the system changes the state of the displayed request, using the browser's Back or Forward buttons or history to navigate can cause the data display to become out of date. To refresh the data, click the highlighted serial number at the top of the page.

3.2.2. Searching for Certificates (Advanced)

Search for certificates by more complex criteria than serial number using the advanced search form. To perform an advanced search for certificates:
  1. Open the Certificate Manager agent services page. The agent must submit the proper client certificate to access this page.
  2. Click Search for Certificates to display the Search for Certificates form to specify search criteria.
  3. To search by particular criteria, use one or more of the sections of the Search for Certificates form. To use a section, select the check box, then fill in any necessary information.
    • Serial Number Range. Finds a certificate with a specific serial number or lists all certificates within a range of serial numbers.
      • To find a certificate with a specific serial number, enter the serial number in both the upper limit and lower limit fields in either decimal or hexadecimal. Use 0x to indicate the beginning of a hexadecimal number, such as 0x2A. Serial numbers are displayed in hexadecimal form in the Search Results and Details pages.
      • To find all certificates within a range of serial numbers, enter the upper and lower limits of the serial number range in decimal or hexadecimal. Leaving either the lower limit or upper limit field blank returns all certificates before or after the number specified.
    • Status. Selects certificates by their status. A certificate has one of the following status codes:
      • Valid. A valid certificate has been issued, its validity period has begun but not ended, and it has not been revoked.
      • Invalid. An invalid certificate has been issued, but its validity period has not yet begun.
      • Revoked. The certificate has been revoked.
      • Expired. An expired certificate has passed the end of its validity period.
      • Revoked and Expired. The certificate has passed its validity period and been revoked.
    • Revocation Information. Lists certificates that have been revoked during a particular period or by a particular agent. For example, an agent can list all certificates revoked between July 2005 and April 2006 or all certificates revoked by the agent with the username admin.
      • To list certificates revoked within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
      • To list certificates revoked by a particular agent, enter the name of the agent; it is possible to use wildcards in this field.
    • Issuing Information. Lists certificates that have been issued during a particular period or by a particular agent. For example, an agent can list all certificates issued between July 2005 and April 2006 or all certificates issued by the agent with the username betatest.
      • To list certificates issued within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
      • To list certificates issued by a particular agent, enter the name of the agent; it is possible to use wildcards in this field.
    • Dates of Validity. List certificates that become effective or expire during a particular period. For example, an agent can list all certificates that became valid on June 1, 2003, or that expired between January 1, 2006, and June 1, 2006.
      It is also possible to list certificates that have a validity period of a certain length of time, such as all certificates that are valid for less than one month.
      • To list certificates that become effective or expire within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
      • To list certificates that have a validity period of a certain length in time, select Not greater than or Not less than from the drop-down list, enter a number, and select a time unit from the drop-down list: days, weeks, months, or years.
    • Basic Constraints. Shows CA certificates that are based on the Basic Constraints extension.
    • Type. Lists certain types of certificates, such as all certificates for subordinate CAs. This search works only for certificates containing the Netscape Certificate Type extension, which stores type information. For each type, choose from the drop-down list to find certificates where that type is On, Off, or Do Not Care.
  4. To find a certificate with a specific subject name, use the Subject Name section. Select the check box, then enter the subject name criteria. Enter values for the included search criteria and leave the others blank.
    The standard tags or components are as follows:
    • Email address. Narrows the search by email address.
    • Common name. Finds certificates associated with a specific person or server.
    • UserID. Searches certificates by the user ID for the person to whom the certificate belongs.
    • Organization unit. Narrows the search to a specific division, department, or unit within an organization.
    • Organization. Narrows the search by organization.
    • Locality. Narrows the search by locality, such as the city.
    • State. Narrows the search by state or province.
    • Country. Narrows the search by country; use the two-letter country code, such as US.

    NOTE

    Certificate System certificate request forms support all UTF-8 characters for the common name and organizational unit fields. The common name and organization unit fields are included in the subject name of the certificate. This means that the searches for subject names or those elements in the subject name support UTF-8 characters.
    This support does not include supporting internationalized domain names, such as in email addresses.
    After entering the field values for the server to match, specify the type of search to perform:
    • Exact searches for certificate subject names match the exact components specified and contain none of the components left blank. Wildcards cannot be used in this type of search.
    • Partial searches for certificate subject names match the specified components, but the returned certificates may also contain values in components that were left blank. Wildcard patterns can be used in this type of search by using a question mark (?) to match an arbitrary single character and an asterisk (*) to match an arbitrary string of characters.

      NOTE

      Placing a single asterisk in a search field means that the component must be in the certificate's subject name but may have any value. Leave the field blank if it does not matter if the field is present.
  5. After entering the search criteria, scroll to the bottom of the form, and enter the number of certificates matching the specified criteria that should be returned.
    Setting the number of certificates to be returned returns the first certificates found that match the search criteria up to that number. It is also possible to put a time limit on the search in seconds.
  6. Click Find.
  7. The Search Results form appears, showing a list of the certificates that match the search criteria. Select a certificate in the list to examine it in more detail. For more information, refer to Section 4.3, “Examining Certificate Details”.
    Search Results Form

    Figure 3.4. Search Results Form