Manage CA sets

View a CA set

If you have already created at least one CA set, the Mutual TLS Edge Truststore UI displays a CA sets list sorted by the last modification date. You can filter them out by CA set name.

📘

Certificate expiration notifications

You get notifications about the expired certificates (highlighted in red) and the certificates that will expire in the next 90 days (highlighted in yellow). The notifications include information about the CA sets these belong to as well as certificates’ number, names, and the networks these are activated on. In the CA certificate sets section, hover over the notifications to view the details.

To view the details of the existing CA sets:

  1. Under CA certificate sets, select the CA set.
  2. On the right, you can view the CA set details:
    • Description you provided during creation
    • CA set id
    • Creation date and time
    • Network information including active version and pending activity
    • List of created versions (see View a certificate in a set to learn more about certificate details)
    • History of activities performed on the CA set

📘

Viewing deleted CA sets

You can also view deleted CA sets in the list. If you delete a CA set it becomes read-only, which means you can no longer perform any operations on it but you can access the history of its activities.

Create a CA set version

You can edit a CA set version as long as it’s not activated on any network. If you need to make updates on an already activated CA set version, create (or clone) a new version.

📘

Active CA set versions

New versions can be created as long as the CA set is not deleted. Any active version of the CA set needs to be deactivated before the CA set can be deleted.

To learn about creating a new version of a CA set, navigate to create a CA set section.

Cancel a CA set

If you select Cancel before creating your CA set, any information you provided is lost.
Click New CA certificate set to create a CA set from scratch.

Clone a CA set version

You can edit a CA set version as long as it’s not activated on any network. If you need to make updates on an already activated CA set version, clone or create version.

To clone a version:

  1. View the CA set.
  2. Select the CA set version you want to clone.
  3. In the Actions menu select Clone.
  4. Click Clone to confirm the action.
  5. Edit the cloned version.
  6. Save version to confirm the changes.

Edit a CA set version

You can edit a CA set version as long as it’s not activated on any network. You can add and remove certificates but you can't change the name. If you need to make updates on an already activated CA set version, clone or create version.

To edit a CA set version:

  1. View the CA set.
  2. Select the latest CA set version.
  3. In the Actions menu select Edit. The CA set edition window opens.
  4. You can:

📘

You can click Review version changes to verify the undertaken action.

  1. Click Save version.

Activate a CA set version

See Activate a CA set version on a network.

Set up mutual authentication

See Set up mutual authentication.

Compare CA set versions

When you have more than one version of the CA set, you can compare them to track the differences.

To compare the CA set versions:

  1. View the CA set whose versions you want to compare.
  2. Select and expand the latest CA set version.
  3. In the Actions menu select Compare.
  4. Select the CA set versions you want to compare.
  5. Click Compare.
    • The removed CA certificates are highlighted in red.
    • The added CA certificates are highlighted in green.
  6. Click Close.

Deactivate a CA set

You can’t deactivate the CA set version if it’s bound to a slot in Certificate Provisioning System. If the set is still associated with an edge certificate, a message appears showing the edge certificates.

To deactivate a CA set (along with all its versions and CA certificates):

  1. View the CA set you want to deactivate.
  2. Select the CA set version.
  3. In the Actions menu, select De-activate.
  4. Click Deactivate version X on Staging or Deactivate version X onProduction or both, if applicable.
  5. Click Close to go back to the CA set details view.

Delete a CA set

Before you can delete a CA set in Mutual TLS Edge Truststore, you need to dissociate the CA set from all edge certificates in Certificate Provisioning System (see Set up mutual authentication for associating a CA set to an edge certificate). You can’t delete CA set versions.

📘

When you delete the CA set it is removed from both staging and production networks and marked as deleted. The deleted CA set is rendered as read-only and can’t be reactivated.

To delete a CA set (along with all its versions and CA certificates):

  1. View the CA set you want to remove.
  2. Deactivate the CA set from each network.
  3. In the upper right corner, click Delete CA set.
  4. Click Submit. The CA set is deactivated from the production and staging networks.

📘

The deleted CA set is still displayed under CA certificate sets and marked as Deleted. You can view the History of the activities performed on this CA set.