-
Notifications
You must be signed in to change notification settings - Fork 8
CA Offline Mode
Take a Certificate Authority offline to prevent unauthorized issuance, then restore it later when needed. Available since UCM v2.153.
Offline mode is the recommended posture for Root CAs between intermediate-CA signing events. While a CA is offline, UCM blocks all operations that require its private key:
- ❌ Sign CSRs
- ❌ Issue certificates
- ❌ Issue Intermediate CAs
- ❌ Sign new CRLs
The CA certificate (public part) remains fully usable for chain validation, OCSP lookup against existing CRLs, and trust-store distribution.
UCM offers two ways to take a CA offline. The choice determines where the encrypted private key lives while the CA is offline.
The private key is re-wrapped with a password you provide and kept in the UCM database (still master-key encrypted on top). Restore = enter the password.
Use when: you want offline protection but expect to bring the CA back online from the same UCM instance occasionally (e.g. quarterly intermediate signing).
The private key is encrypted with your password, returned as a downloadable PKCS#8 PEM file, and deleted from the UCM database (ca.prv set to NULL). Restore = re-upload the file + password.
Use when: you want true cold storage. Move the file to a hardware token, an air-gapped USB drive, a safe, etc. UCM no longer has the key in any form.
The offline password must satisfy the UCM password policy:
- Minimum 12 characters
- At least one uppercase, one lowercase, one digit, one symbol
- No 4+ character sequential or repeated runs (e.g.
aaaa,1234,abcd)
The password is never stored. If you lose it:
- Password-protected mode → the CA is unrecoverable, you must delete it
- File-exported mode → the exported file is unusable, you must delete it
- Open the CA detail panel (click the CA in the list)
- Click Take Offline
- Confirm the operation
- Enter and confirm the offline password
- Choose a mode:
- Keep in UCM (password-protected)
-
Download file (file-exported) — your browser downloads
<ca-name>.key.pemimmediately; this is the only copy
- The CA list now shows an Offline badge in place of the regular status
- Open the offline CA's detail panel
- Click Restore
- Enter the offline password
- If the CA was exported to file, also select the previously downloaded
.key.pemfile - The CA returns to its previous status (Active, Expired, etc.) and resumes signing
| Operation | Online | Offline |
|---|---|---|
| Sign CSR | ✅ | ❌ |
| Issue end-entity certificate | ✅ | ❌ |
| Issue intermediate CA | ✅ | ❌ |
| Generate new CRL | ✅ | ❌ |
| Serve existing CRL via CDP | ✅ | ✅ |
| OCSP responses (signed by issuer/responder) | ✅ | ✅ if responder cert is online |
| Export CA certificate (public) | ✅ | ✅ |
| View / list / search | ✅ | ✅ |
| Delete |
CRL signing requires the CA private key, so plan your CRL refresh window before going offline. Existing CRLs continue to be served until they expire.
Taking a parent CA offline does not automatically take its children offline. Each CA is offlined independently.
If you take a Root CA offline, its already-issued Intermediate CAs continue to operate normally — they have their own private keys.
- The offline password is validated server-side against the same policy as user passwords.
- Password-protected mode wraps the key with
BestAvailableEncryption(password)(PKCS#8) and then applies the UCM master-key wrap on top — two layers of encryption at rest. - File-exported mode produces a single-layer PKCS#8 PEM (password-encrypted). The master key is not part of the export — the file is portable to any PKCS#8-aware tool (
openssl pkcs8, HSM import utilities, etc.). - Audit log entries record:
ca.offline.password_protected,ca.offline.file_exported,ca.restore.password_protected,ca.restore.file_exported. - The legacy free-text "offline reason" prompt has been removed — the mode itself is the audit record.
"Password does not meet complexity requirements" — see Password Requirements. The error response lists exactly which rules failed.
"CA is offline" when trying to sign a CSR — expected. Restore the CA first.
Restore fails with "Invalid password or corrupted key" — wrong password, wrong file, or file was modified. There is no recovery path other than deleting the CA.
Offline badge missing after taking offline — refresh the page; the list view subscribes to ucm:data-changed and should update automatically. If not, check browser console for errors.
- CA Management — general CA operations
- Security — encryption model and master key
- Audit Logs — tracking offline/restore events