Get FDA readyServicesHelm help

Manage certificates

🚧 This feature is currently in development.

You can view device certificate status and revoke root and intermediate certificates, as well as all certificates for a particular device. You can export your Certificate Revocation List (CRL) for all devices from the Provisioning tab.

Select system

  1. Click the Devices item in the sidebar. This will display the Devices page, which consists of two tabs, Provisioning and Certificates.

  2. Select a system name from the System name drop-down on the page. You can also narrow down results by selecting System instance or Component name from these drop-downs.

    • Alternately, you can select a system name from the Select system name drop-down in the breadcrumb trail.

    • You can currently only select one system name. Contact us if you need to view multiple systems simultaneously.

  3. Click the Certificates tab. This will display all certificates for the selected system.

  4. Click the Filters drop-down to filter on system instance, component, and other criteria.

Certificates

Each certificate card displays on the right under the filter bar. By default, the first certificate in the list is selected. The current selection is indicated by a blue background and a blue selection bar on the far left of the card.

Certificate types

Guardian can use two types of certificates to secure devices:

  • Standard x.509 certificates: This is the certificate type used in our out-of-the-box system configurations.

  • Medcrypt-proprietary certificates: We also can provide our proprietary certificates that are specifically designed for medtech use cases such as memory constraints.

Certificate statuses

  • Pending validation: This certificate has not yet been validated.

  • Active: This certificate is active and is not nearing expiration.

  • Expired: This certificate has expired and needs to be replaced.

  • Expires (timeframe): This certificate is nearing its expiration date and should be replaced soon. It is currently still active. It indicates the number of days, weeks, or months until a certificate expires. Any certificate that expires in under 6 months will display this status.

  • Suspended: This certificate has been suspended.

  • Revoked: This certificate has been revoked. View the certificate details to see the reason for revocation.

Certificate details

All certificates have standard x.509 fields. The exception is for device-level certificates, which have additional system details, provisioning details, and a Medcrypt certificate attributes section for context.

View certificate details and children

  1. Click any certificate to view its details. You can click the certificate card itself or its details icon.

  2. Root and intermediate certificates that have children will have a drop-down arrow. You can click each arrow to expand certificates individually or click the expand all icon to expand all parent certificates automatically.

System details

  • System name: This is the system definition. It will also be referred to as system.

  • System instance name: This is a particular instance of the system name.

  • Component name: This is a component in the system instance.

  • Component instance ID: This is the unique ID for a component.

  • Device HW ID: This is the unique ID for a device.

  • System instance ID:

  • Component instance ID: This is the unique ID for a component.

  • Component instance created on: This is when the component instance was created.

Provisioning details

  • Provisioning status: This shows the provisioning status of the PR. Statuses will depend on your system's defined approval type.

  • Approved on / by: This is the date the provisioning request was approved, as well as whether it was automatically approved (System) or manually approved (user name).

  • Rejected on / by: This is the date the provisioning request was rejected, as well as who rejected it.

  • Error code: For systems using the automatic approval workflow, this will display a particular error code. Refer to troubleshooting device provisioning for more information.

  • Provisioned on / by: This is the date the device provisioning was completed, as well as who provisioned it.

Identity

  • Common name (CN)

  • Organization name (O)

  • Subject alt name (SAN): This is only shown for device-level certificates

Status & validity

  • Status: This indicates the current status of a certificate.

  • Not before: This also shows the date and relative time until the certificate is valid.

  • Not after: This also shows the relative time until the certificate is no longer valid. If the certificate has expired, this shows the time elapsed, such as (x days ago).

  • Validity period

  • Revoked on / by: This is the date when the certificate was revoked and who it was revoked by.

  • Revocation reason: This shows the reason the certificate was revoked.

Security

  • TLS pinning

  • Key type

  • Signature algorithm

Additional identity information

  • Organizational unit (OU)

  • Email address (E)

Location

  • Country (C)

  • State/Province (ST or S)

  • Locality/City (L)

Technical details section

Key usage

  • Critical

  • Permitted uses

  • Serial number

Basic constraints

  • Critical

  • Certificate authority

  • Path length constraint

Certificate identifiers

  • Serial number

  • Thumbprint

  • Authority key identifier

  • Subject key identifier

Extended validation

  • CRL distribution points

Medcrypt certificate attributes

  • Component handle

  • Environment: This is either TEST or PRODUCTION and is configured when your system was created.

  • Expiration action: This is the action that will be automatically performed if a certificate expires.

    • WARN: This will warn you that a certificate has expired.

    • DISABLE: This will automatically disable the certificate

  • Guardian hardware ID: This is the UUID or hash in your device that is fed in during device provisioning that represents the Guardian hardware on your device.

  • Device hardware ID type: This is always the value, OCTET STRING. This can be parsed to get the original hardware ID type.

Export certificates

Export all certificates

You can export all certificates or filter down to a subset, then export. This will export a zip file containing a .PEM file for each certificate.

Export individual certificate

  1. Click any certificate to view its details, as well as available actions. This will display the Certificate details section.

  2. Click the Export action link. This will export a .PEM file for this certificate.

Revoke certificates

Depending on the certificate level, you will have different revoke capabilities.

  1. Click any certificate to view its details, as well as available actions. This will display the Certificate details section.

  • Root or intermediate certificates: Click the Revoke certificate action in the Certificate details section.

  • Device certificates: Click the Revoke all certs for device action in the Certificate details section. If you need the ability to revoke device certificates individually, let us know.

  1. In the respective confirmation panel, review the details for each certificate you are revoking.

  2. For root or intermediate certificates, specify the revocation reason. For device-level certificates, you can specify one revocation reason for all or individual revocation reasons for each certificate.

Filter certificates

All matching items will have a blue highlight background. If root or intermediate certificates are returned, their children are also returned to provide context. These are only highlighted if the child matches the search and filters applied.

Search:

In the search box drop-down, you can select All certificates or one or more certificate levels, as well as search on the certificate common name.

Filter panel

System details

  • System name

  • System instance name

  • Component name:

  • Device hardware ID

Provisioning details

  • Provisioning status

  • Provisioned on

    • Quick filters selections

    • Date range

  • Approved on (date range)

    • Quick filters selections

    • Date range

  • Rejected on (date range)

    • Quick filters selections

    • Date range

Certificate details

You can quickly filter on certificate status and expiration details to proactively manage your certificates.

  • Certificate level (root, intermediate, device)

  • Certificate status

  • Not before

    • Quick filters selections

    • Date range

  • Not after

    • Quick filters selections

    • Date range

  • Revocation reason

  • Revoked on:

    • Quick filters selections

    • Date range

Filter certificates

You can filter on system, device, and certificate information.

General section

  • System name: Select the main system to view. This is also known as the system definition.

  • System instance: Select one or more system instances to view.

  • Component name: Select one or more components to view.

  • Device hardware ID: Specify a particular device hardware ID to filter on.

Provisioning details section

  • Toggle to view current provisioning status for all devices or all statuses the devices have moved through.

  • Provisioning status: Select one or more provisioning status(es). The available statuses will depend on the approval type of the system you are currently viewing.

  • Provisioned on: Select a date range to view devices that moved to the Provisioned status during that time.

Certificate sections

You can filter on device certificates, device leaf certificates, and intermediate certificates in their respective sections.

  • Certificate status: Select one or more provisioning status(es) for each certificate type you want to filter on.

  • Expires on: Select a date range to view which certificates will expire during that time.

  • Revocation reason: Select one or more revocation reasons to filter on. This filter conditionally displays if you select the Revoked certificate status.

  • Revoked on: Select a date range to view which certificates were revoked during that time. This filter conditionally displays if you select the Revoked certificate status.

Medcrypt certificates section:

  • Component handle [text field]

  • Environment

  • Expiration action

Change date formatting

By default, device provisioning data is displayed in UTC time and in dd mmm yyyy format. You can change this to display ISO format and/or to show dates in your local time.

  1. To change the date formatting, click the Settings drop-down in the toolbar.

  2. Toggle the respective date settings, which will automatically apply.

FAQ

How will we know when certificates expire?

You can filter on certificate status and expiration date, as well as view details for any certificate.

PreviousManage device provisioningNextExtract certificates from provisioned devices

Last updated

Was this helpful?