How long does it take for a certificate authority (CA) to issue a certificate?

Some certificate authorities can issue certificates almost instantly while others can take up to an hour or more to act on a CSR enrollment.

To prevent unnecessary resource utilization, and to avoid overloading the CA with repeated duplicate requests, Trust Protection Platform employs a system that periodically checks to see if the certificate has been issued. If the certificate has not been issued, the duration between requests gradually increases until it reaches 32 minutes.

By default, the retry interval period is 30 seconds, then 1 minute, 2 minutes, 4 minutes, 8 minutes, 16 minutes, and finally 32 minutes.

Once the duration reaches 32 minutes, the system will continue to check every 32 minutes until the certificate is issued. Therefore, the longer it takes the CA to approve the request, the longer it will take to import a certificate. For example, if it takes the CA a day to complete the request, it will take Trust Protection Platform up to 32 minutes after the certificate is issued to be imported into the system.

NOTE  Some TPP drivers have a different retry interval period because the CA may return a certificate before the default 30 seconds. These CA templates and their intervals are:

Adaptable CA, Amazon CA (using private CA), and Google Private CA - 1 second, 2 seconds, 10 seconds, 30 seconds, 1 minute, 2 minutes, 4 minutes, 8 minutes, 16 minutes, then 32 minutes

Amazon CA (using public CA) - 10 minutes

VikingCloud - 30 minutes

You may wonder what are the primary causes of delays in certificate issuance?

There are several reasons why certificate issuance can be delayed:

  1. The certificate authority is just slow. Some certificate authorities regularly take 30 minutes to an hour to act on a CSR.

  2. Sometimes organizations have configured a CA approval for which a manual approval is required before a certificate can be approved. In those cases, the delay will be as long as it takes for the approver to receive and act on the request for approval.

    NOTE  This is completely outside the control of Trust Protection Platform. This is a setting controlled by the CA when approvals are required. If your organization is one that uses this type of setup, we encourage you to look at settings in Trust Protection Platform that perform the same function. These include Certificate Workflows and the Adaptable Workflow feature which can integrate with external approval systems, like, for example, ServiceNow where approvals can be managed.

    For more information on certificate workflows, see Implementing certificate workflow management.

    For more information on Adaptable Workflow, see About Adaptable Workflows.

  3. Sometimes the certificate authority needs the customer to re-verify ownership of the domain before it will issue a certificate for the requested domain.

If Trust Protection Platform seems slow importing the certificate, the delay is likely on the certificate authority's side. Trust Protection Platform will continue checking every thirty minutes or so until the certificate is issued and can be imported into the system. If you have questions, check with your system administrator, or the person who administers manual approvals for your certificate authority.