Manage certificate trust chain

You can manage the certificate trust chain of root and intermediate certificates (Root of Trust) for your system.

Manage systems

  1. Click the Systems item in the sidebar. This will display your available systems.

  2. Click the Certificates link on a system card. This will display the root and intermediate certificate trust chain for the selected system.

  3. Click any certificate to view its details.

Certificates

Each certificate card displays on the right under the filter bar. By default, the first certificate in the list is selected. The current selection is indicated by a blue background and a blue selection bar on the far left of the card.

Certificate types

Guardian can use two types of certificates to secure devices:

  • Standard x.509 certificates: This is the certificate type used in our out-of-the-box system configurations.

  • Medcrypt-proprietary certificates: We also can provide our proprietary certificates that are specifically designed for medtech use cases such as memory constraints.

Certificate statuses

  • Pending validation: This certificate has not yet been validated.

  • Active: This certificate is active and is not nearing expiration.

  • Expired: This certificate has expired and needs to be replaced.

  • Expires (timeframe): This certificate is nearing its expiration date and should be replaced soon. It is currently still active. It indicates the number of days, weeks, or months until a certificate expires. Any certificate that expires in under 6 months will display this status.

  • Suspended: This certificate has been suspended.

  • Revoked: This certificate has been revoked. View the certificate details to see the reason for revocation.

Certificate details

All certificates have standard x.509 fields. The exception is for device-level certificates, which have additional system details, provisioning details, and a Medcrypt certificate attributes section for context.

View certificate details and children

  1. Click any certificate to view its details. You can click the certificate card itself or its details icon.

  2. Root and intermediate certificates that have children will have a drop-down arrow. You can click each arrow to expand certificates individually or click the expand all icon to expand all parent certificates automatically.

System details
  • System name: This is the system definition. It will also be referred to as system.

  • System instance name: This is a particular instance of the system name.

  • Component name: This is a component in the system instance.

  • Component instance ID: This is the unique ID for a component.

  • Device HW ID: This is the unique ID for a device.

  • System instance ID:

  • Component instance ID: This is the unique ID for a component.

  • Component instance created on: This is when the component instance was created.

Provisioning details
  • Provisioning status: This shows the provisioning status of the PR. Statuses will depend on your system's defined approval type.

  • Approved on / by: This is the date the provisioning request was approved, as well as whether it was automatically approved (System) or manually approved (user name).

  • Rejected on / by: This is the date the provisioning request was rejected, as well as who rejected it.

  • Error code: For systems using the automatic approval workflow, this will display a particular error code. Refer to troubleshooting device provisioning for more information.

  • Provisioned on / by: This is the date the device provisioning was completed, as well as who provisioned it.

Identity
  • Common name (CN)

  • Organization name (O)

  • Subject alt name (SAN): This is only shown for device-level certificates

Status & validity
  • Status: This indicates the current status of a certificate.

  • Not before: This also shows the date and relative time until the certificate is valid.

  • Not after: This also shows the relative time until the certificate is no longer valid. If the certificate has expired, this shows the time elapsed, such as (x days ago).

  • Validity period

  • Revoked on / by: This is the date when the certificate was revoked and who it was revoked by.

  • Revocation reason: This shows the reason the certificate was revoked.

Security
  • TLS pinning

  • Key type

  • Signature algorithm

Additional identity information
  • Organizational unit (OU)

  • Email address (E)

Location
  • Country (C)

  • State/Province (ST or S)

  • Locality/City (L)

Technical details section

Key usage
  • Critical

  • Permitted uses

  • Serial number

Basic constraints
  • Critical

  • Certificate authority

  • Path length constraint

Certificate identifiers
  • Serial number

  • Thumbprint

  • Authority key identifier

  • Subject key identifier

Extended validation
  • CRL distribution points

Export certificates

Export all certificates

You can export all certificates or filter down to a subset, then export. This will export a zip file containing a .PEM file for each certificate.

Export individual certificate

  1. Click any certificate to view its details, as well as available actions. This will display the Certificate details section.

  2. Click the Export action link. This will export a .PEM file for this certificate.

Revoke certificates

Depending on the certificate level, you will have different revoke capabilities.

  1. Click any certificate to view its details, as well as available actions. This will display the Certificate details section.

  2. Click the Revoke certificate action in the Certificate details section.

  3. In the respective confirmation panel, review the details for each certificate you are revoking.

  4. For root or intermediate certificates, specify the revocation reason. For device-level certificates, you can specify one revocation reason for all or individual revocation reasons for each certificate.

Filter certificates

All matching items will have a blue highlight background. If root or intermediate certificates are returned, their children are also returned to provide context. These are only highlighted if the child matches the search and filters applied.

Search or filter certificates

Search box

In the search box drop-down, you can select All certificates or a certificate level, as well as search on the certificate common name.

Filter panel

Click the Filters drop-down to filter on system, device, and certificate information.

System details
  • System name: Select the main system to view. This is also known as the system definition.

  • System instance: Select one or more system instances to view.

  • Component name: Select one or more components to view.

  • Device hardware ID: Specify a particular device hardware ID to filter on.

Provisioning details
  • Toggle to view current provisioning status for all devices or all statuses the devices have moved through.

  • Provisioning status: Select one or more provisioning status(es). The available statuses will depend on the approval type of the system you are currently viewing.

  • Provisioned on: Select a quick timeframe date filter or provide a date range to view devices that moved to the Provisioned status during that time.

  • Approved on: Select a quick timeframe date filter or provide a date range to view devices that moved to the Approved status during that time.

  • Rejected on: Select a quick timeframe date filter or provide a date range to view devices that moved to the Rejected status during that time.

Certificate details

You can filter on root and intermediate certificates in their respective sections.

  • Certificate status: Select one or more provisioning status(es) for each certificate type you want to filter on.

  • Expires on: Select a date range to view which certificates will expire during that time.

  • Revocation reason: Select one or more revocation reasons to filter on. This filter conditionally displays if you select the Revoked certificate status.

  • Revoked on: Select a date range to view which certificates were revoked during that time. This filter conditionally displays if you select the Revoked certificate status.

Change date formatting

By default, device provisioning data is displayed in UTC time and in dd mmm yyyy format. You can change this to display ISO format and/or to show dates in your local time.

  1. To change the date formatting, click the Settings drop-down in the toolbar.

  2. Toggle the respective date settings, which will automatically apply.

FAQ

How will we know when certificates expire?

You can filter on certificate status and expiration date, as well as view details for any certificate.

Last updated

Was this helpful?