About certificate lifecycle management

Trust Protection Platform simplifies the process of managing digital certificates throughout their lifecycle. When a certificate is brought under management, Trust Protection Platform monitors the certificate and provides current information about the certificate status. When a certificate nears the end of its lifecycle, Trust Protection Platform provides notifications so you can renew and install the certificate before it expires.

If a network certificate is configured for Enrollment, Trust Protection Platform interfaces directly with the CA to initiate certificate renewal and key generation requests according to organization-defined workflow and approved folders. After the CA signs the certificate, Trust Protection Platform retrieves the certificate and securely stores it in the Secret Store. The administrator can then download the certificate from the Secret Store and install it on the target system(s).

If a network certificate is configured for Provisioning, Trust Protection Platform automatically requests, renews, and installs the certificate on its associated application(s), ensuring that the certificate is reliably deployed and managed.

NOTE  Individual stages may vary per application. For information on the certificate lifecycle stages for each application, see Protecting server platforms and keystores.

The following table outlines the managed stages of the network certificate lifecycle.

Certificate enrollment involves two distinct "todo" items. The Certificate ToDo (stages 0-450), and Certificate Enrollment ToDo (stages 500-750). These ToDos respect different engine assignments. For example, the Certificate ToDo respects what is specified for the certificate object, but the Certificate Enrollment ToDo respects what is specified on the CA Template. If you are seeing certificate processing failures (including while using Intune), try setting the engine assignment to be the same on both the certificate object and the CA template.

NOTE  If the private key and CSR are locally generated on the Trust Protection Platform server, stages 0-700 are performed by the default X509 Certificate Application driver. Stages 0-700 are only performed by the certificate’s consumer Application driver if the private key and CSR are remotely generated on the certificate’s consumer application.

The private key and CSR are remotely generated on the certificate’s consumer applications if the Generate Key/CSR on Application option is enabled in the Certificate object.

Stage Codes and Descriptions

Certificate Stage Codes

Workflow Stage codes

Stage Code

Friendly Name




Prepares the certificate for lifecycle processing.



Applies only to remote generations.

If the private key and CSR are generated remotely, Trust Protection Platform compares the keystore or Directory configuration parameters specified in the Application object with the actual configuration on the application.



Applies only to remote generations.

If the certificate keystore does not exist, Trust Protection Platform creates the keystore as per the configuration parameters defined in the Application object.



Creates the private key.

DID YOU KNOW?  Stage 300 is used for key generation only when the API of a target device separates keypair and CSR generation. When they're combined, both key and CSR generation are always done at stage 400.



Creates the Certificate Signing Request (CSR). If Service Generated CSR is enabled and the certificate is associated with multiple applications, the CSR will be centrally generated so Trust Protection Platform can push the private key to multiple applications.



Submits the CSR to the Certificate Authority (CA).

If you post a manual CSR, this is the first stage of the certificate lifecycle.



Approves the certificate renewal at the CA.



Retrieves the certificate from the CA.



Installs the certificate on the target application. This provisioning happens in several stages, such as 801, 802, etc. All stages between 800-899 are provisioning stages.



Reserved for future use. You cannot apply this stage to a workflow.



Reserved for future use. You cannot apply a stage to this workflow.



Used for command injection workflow that must be executed after a certificate has been successfully provisioned.



Completes the certificate processing and, if configured, runs a Validation check on the certificate and application.



Submits a revocation request to the CA.

Certificate revocation is a certificate operation; it does not involve the application driver.




Updates the Trust Store at the host to comply with the effective bundle. To learn more, see Viewing the Effective Bundle.



Completes the processing of the Trust Store.

Related Topics Link IconRelated Topics