Certificate authority states
This page describes the operational states that apply to certificate authorities (CAs).
Once created, a CA is in one of the following states throughout its lifecycle.
- Enabled
- Disabled
- Staged
- Awaiting user activation
- Deleted
Subordinate CAs are created in the AWAITING_USER_ACTIVATION state, and they are set to the STAGED state after activation.
Root CAs are created in the STAGED state. A root CA can never be in the AWAITING_USER_ACTIVATION state.
We recommend that you create and test certificates while the CA is still in the STAGED state. Once you have verified that the CA certificate has been published to all clients and tested certificate issuance from the CA, you can enable the CA to start issuing load-balanced certificates for the CA pool. For information on enabling a CA, see Enable a CA.
A CA pool cannot issue certificates until it has at least one CA in the ENABLED state.
The following table illustrates the properties of a CA in each of the states.
| CA state | Can issue certificates? | Included in CA pool certificate issuance rotation? | Included in CA pool Trust Anchor? | Can revoke certificates and publish CRLs? | Is billed? | Are resources accessible? | Can accept update requests? |
|---|---|---|---|---|---|---|---|
| Enabled | Yes | Yes | Yes | Yes | Yes | Yes | Yes |
| Disabled | No | No | Yes | Yes | Yes | Yes | No |
| Staged | Yes1 | No | Yes | Yes | Yes | Yes | Yes |
| Awaiting user activation | No | No | No | No | No | Yes | No |
| Deleted | No | No | No | No | No | No | No |
1CAs in the STAGED state cannot issue certificates through CA pool load-balancing. They can only issue certificates when requested directly by the clients.
What's next
- Learn how to enable, disable, and restore CAs.
- Learn how to request certificates.