Stay organized with collections
Save and categorize content based on your preferences.
Certificate authority states
This page describes the operational states that apply to certificate authorities (CAs).
Once created, a CA is in one of the following states throughout its lifecycle.
Enabled
Disabled
Staged
Awaiting user activation
Deleted
Subordinate CAs are created in the AWAITING_USER_ACTIVATION state, and they are set to the STAGED state after activation.
Root CAs are created in the STAGED state. A root CA can never be in the AWAITING_USER_ACTIVATION state.
We recommend that you create and test certificates while the CA is still in the STAGED state. Once you have verified that the CA certificate has been published to all clients and tested certificate issuance from the CA, you can enable the CA to start issuing load-balanced certificates for the CA pool. For information on enabling a CA, see Enable a CA.
A CA pool cannot issue certificates until it has at least one CA in the ENABLED state.
The following table illustrates the properties of a CA in each of the states.
CA state
Can issue certificates?
Included in CA pool certificate issuance rotation?
Included in CA pool Trust Anchor?
Can revoke certificates and publish CRLs?
Is billed?
Are resources accessible?
Can accept update requests?
Enabled
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Disabled
No
No
Yes
Yes
Yes
Yes
No
Staged
Yes1
No
Yes
Yes
Yes
Yes
Yes
Awaiting user activation
No
No
No
No
No
Yes
No
Deleted
No
No
No
No
No
No
No
1CAs in the STAGED state cannot issue certificates through CA pool load-balancing. They can only issue certificates when requested directly by the clients.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-05 UTC."],[[["Certificate authorities (CAs) operate in five distinct states: Enabled, Disabled, Staged, Awaiting User Activation, and Deleted, each determining their operational capabilities."],["Subordinate CAs begin in the `AWAITING_USER_ACTIVATION` state and must be activated within 30 days, transitioning to `STAGED`, or they will be deleted; in contrast, Root CAs directly start in the `STAGED` state."],["While in the `STAGED` state, CAs can issue certificates when requested directly, but not through CA pool load-balancing, and it is the recommended phase for testing certificates."],["A CA pool requires at least one CA in the `ENABLED` state to issue certificates, and once enabled, a CA cannot return to the `STAGED` state."],["Only CAs in the `ENABLED`, `DISABLED`, or `STAGED` states can revoke certificates and publish CRLs; billing occurs for CAs in these states as well."]]],[]]
