CA Management

References > CA Management

Local CA

This product includes a function that acts as a Certification Authority (CA) to issue electronic certificates (Local CA function).
The following functions are available in the Local CA.

Viewing and Downloading CA Certificate Details
Checking CA Certificate Validity and Sending Expiration Notification Emails
Viewing and Downloading Server Certificate Details for the Certificate Distribution Site
View and Download the CRL (Certificate Revocation List)
Issuing Client Certificates
Issuing Server Certificates
Sending Client Certificate Distribution Emails

Create a Local CA on the CA Management page.

Note
Certificates issued by AT-RADgate are supported only in configurations where AT-RADgate is used as a RADIUS Server.

Certificate Validity Check and Notification

The following processes are executed between 00:00:00 and 00:04:59 of the AT-RADgate system time.

Checking CA Certificate Expiry Date
Revoke or Check Expiration of Issued Certificate
Update CRL
Deleting Expired Certificates

The CA certificate displays a warning message in the log 28 days, 21 days, 14 days, 7 days, and 1 day before the expiry date.
In addition, if the following conditions are met, a warning message is sent by email.

The SMTP Server is configured (on the Email Settings page).
An email address is registered to the account (the Account Management page).
The account has the permission for "Allow to configure system settings" (the Account Management page).

If the CA certificate is also expired, a message is displayed in the log, and an email notification is sent when the conditions are met.

Issued server certificates and Client Certificates display a warning message in the log every day starting 7 days before the expiration date. And if the conditions are met, an Email Notification is also sent.
However, if the same user has another valid certificate, no warning message or Email Notification is generated.

If issued Server Certificates or Client Certificates become expired, no warning message or Email Notification is generated.
Expired Certificates are automatically deleted after 30 days.

Deleting Local CA

If the Local CA is deleted, the following functions become unavailable.

Viewing and Downloading CA Certificate Details
Viewing and downloading the details of the Server Certificate for the Cert Distribution Site
View and Download the CRL (Certificate Revocation List)
Issuing Client Certificates
Issuing Server Certificates
Sending Client Certificate Distribution Emails
All Certificates located in the management area of the CA

Note
Even if the Local CA is deleted, Certificates that have already been distributed to client nodes and other devices remain valid until their Expiry Date. In addition, Certificates that are in use by each function of AT‑RADgate are not deleted automatically.

The Local CA is deleted on the About CA page.

CA Management (When No Local CA Is Registered)

CA Management > CA Management (When No Local CA Is Registered)

Since no Local CA is registered by default, the following page is displayed.
When you click the “Create” button, the Create Certificate Authority dialog opens.

Create Certificate Authority

CA Management (When No Local CA Is Registered) > Create Certificate Authority

You create the Local CA in the “Create Certificate Authority” dialog.

Table 1: Create Certificate Authority
Item / Button Name	Mandatory	Format	Description
Common Name (CN)	×	String (Max 64 characters)	The value of the certificate's Common Name field.
Country (C)	−	String (Max 2 characters)	The country code.
State or Province (ST)	−	String (Max 128 characters)	The state or province name.
Locality (L)	−	String (Max 128 characters)	The locality name.
Organization (O)	−	String (Max 64 characters)	The Organization name.
Email Address	−	Email Address	The Email Address that identifies the Certificate owner. Normally, the contact information of the administrator or applicant is specified.
Public Key Type	×	−	Select the encryption algorithm to use from “RSA-4096”, “ECC P-256”, or “ECC P-384”. The default is “ECC P-384”.
Signature Hash Algorithm	×	−	Select the hash function used for signature generation from “SHA-256” or “SHA‑384”. The default is “SHA‑384”.
Validity Days	×	Integer (10-99999)	The Expiry Date (in days). The default is “3650 (days)”.
Domain name or IP Address for certificate distribution site	−	String (Max 253 characters)	Specify the domain name or IP Address of the Cert Distribution Site. If not specified, the current AT‑RADgate Hostname is used.
Domain name or IP Address for OCSP responder	−	String (Max 253 characters)	Specify the domain name or IP Address of the OCSP responder.
"Cancel" button	−	−	Cancel the creation of the Local CA.
"Save" button	−	−	Create the Local CA.

Note
Using multibyte characters (e.g., Japanese or full-width characters) in field values is not supported.

Note
The OCSP responder provides certificate revocation information in real time. When you create a Certification Authority (Local CA) on AT-RADgate, AT-RADgate also operates as an OCSP responder. In this case, you do not need to configure its own domain name or IP Address for this setting.
However, in a replica configuration, if “Domain name or IP Address for OCSP responder” is not configured in the primary CA Certificate, certificate validity checking is not available on the primary. For improved security, configuring the OCSP responder URL in the primary CA Certificate is recommended when using a replica configuration.

CA Management (When a Local CA Is Registered)

CA Management > CA Management (When a Local CA Is Registered)

When the Local CA is registered, the CA Management page changes to the following display.

Certificate

CA Management > CA Management (When a Local CA Is Registered) > Certificate

On the “Certificate” tab, the Certificates issued by the Local CA are listed.

Table 2: Certificate
Item Name	Description
Status	The Certificate status is displayed with icons for Valid, Revoked, Disabled, and Expired. “Disabled” indicates that the Certificate is in a state before its effective date.
Common Name (CN)	The value of the certificate's Common Name field.
Effective Date	The certificate's effective date.
Expire Date	The expiration date of the certificate.

The functions of each button at the top right of the page are as follows:

Table 3: Button Functions
Button Name	Description
"About CA" button	Open the About CA page.
Manage Columns	Changes the visibility of each column in the table.
Reload	Reload the Certificate list.
"Revoke" button	Revokes the selected Certificate.

At the far right of each row in the list there is a menu button that allows you to manage the Certificate for that row.

Table 4: Functions of each menu
Button Name	Description
Detail	Displays the Certificate details (Certificate Detail dialog appears).
Download	Download the Certificate (PKCS#12 format).

Revoke Certificate

Server Certificates and Client Certificates issued by the CA can be revoked. Revocation is used when you want to invalidate a Certificate, such as in the case of private key compromise.
Revoked Certificates are listed in the CRL (Certificate Revocation List). Certificate revocation is performed using the "Revoke" button on the CA Management > Certificates page.
The CRL is automatically updated daily between 00:00:00 and 00:04:59.

OCSP responder

The OCSP responder provides real-time Certificate revocation information.
When creating a CA, you can specify the domain name or IP Address of the OCSP responder. If specified, the URL is set in the AIA extension of the CA Certificate. If not specified, it is not set in the AIA extension.
During EAP-TLS Authentication, if the AIA extension contains an OCSP responder URL, the responder is queried to verify the validity of the Certificate. If no URL is present, the local OCSP is used when a local CA exists. If neither is available, the Certificate validity check is not performed.

Note
If the “Domain name or IP Address for OCSP responder” is not set in the primary CA Certificate, the replica cannot perform Certificate validity checks. For improved security, configuring the OCSP responder URL in the primary CA Certificate is recommended when using a replica configuration.

Certificate Detail

This dialog displays the Certificate details. Clicking the “Close” button closes the dialog.

Certificate profile

CA Management > CA Management (When a Local CA Is Registered) > Certificate profile

On the Certificate profile tab, you can edit the templates for Certificate issuance.
There are two types: “server” for Server Certificates and “client” for Client Certificates, and you cannot add or delete them. In addition, even if you edit the Certificate Profile, Certificates that have already been issued are not affected.

Table 5: Certificate profile
Item Name	Description
Name	Certificate profile name. “server” is the profile for Server Certificates, and “client” is the profile for Client Certificates.
Validity Days	The Expiry Date (in days).
Public Key Type	This is the cryptographic algorithm to be used.
Signature Hash Algorithm	This is the hash function used for signature generation.

The functions of each button at the top right of the page are as follows:

Table 6: Button Functions
Button Name	Description
"About CA" button	Open the About CA page.
Manage Columns	Changes the visibility of each column in the table.
Reload	Reload the Certificate Profile list.

At the far right of each row in the list there is a menu button that allows you to manage the Certificate profile for that row.

Table 7: Function of the menu
Button Name	Description
"Edit" button	Display the Edit Certificate Profile dialog for editing a Certificate profile.

Edit certificate profile

You can modify the settings of the Certificate profile.

Table 5: Edit certificate profile
Item / Button Name	Mandatory	Format	Description
Name	−	−	Certificate profile name. It is set to either “server” or “client”, and cannot be changed.
Country (C)	−	String (Max 2 characters)	The country code.
State or Province (ST)	−	String (Max 128 characters)	The state or province name.
Locality (L)	−	String (Max 128 characters)	The locality name.
Organization (O)	−	String (Max 64 characters)	The Organization name.
Email Address	−	Email Address	The Email Address that identifies the Certificate owner. Normally, the contact information of the administrator or applicant is specified.
Public Key Type	×	−	Select the encryption algorithm to use from “RSA-4096”, “ECC P-256”, or “ECC P-384”. The default is “ECC P-384”.
Signature Hash Algorithm	×	−	Select the hash function used for signature generation from “SHA-256” or “SHA‑384”. The default is “SHA‑384”.
Validity Days	×	Integer (10-99999)	The Expiry Date (in days). The default is “3650 (days)”.
"Cancel" button	−	−	Cancel the changes to the Certificate profile.
"Save" button	−	−	Save the changes to the Certificate profile.

Note
Using multibyte characters (e.g., Japanese or full-width characters) in field values is not supported.

User Cert Issue Tool

CA Management > CA Management (When a Local CA Is Registered) > User Cert Issue Tool

On the “User Cert Issue Tool” tab, the list of Users created in Policy Management > User is displayed, and you can issue a Client Certificate to a User.

About Issuing Client Certificates
- The “Common Name (CN)” of the Certificate uses the Login Name from the User policy.
- If an Email Address is configured in User policy, it is reflected in the emailAddress field of the Certificate.
About Sending Notification Emails
- Notification Emails are sent to the Email Address registered in the User policy (they are not sent to the Email Address in the Certificate profile).
- If there is no valid SMTP Server configuration, Email sending fails.
- If no Certificate is issued to the User, Email sending is skipped.
- If no Email Address is configured in the User policy, Email sending is skipped.
- To prevent being flagged as spam during mass sending, the system inserts a 1‑second interval between each Email.

Table 5: User Cert Issue Tool
Item / Button Name	Description
"About CA" button	Open the About CA page.
"Issue" button	When you select the checkbox to the left of Login Name, it becomes enabled, and clicking it displays the Issue Certificate dialog for issuing a Client Certificate.
"Distribute" button	When the checkbox to the left of “Login Name” is selected, it becomes enabled, and clicking it sends an Email that notifies the URL of the Cert Distribution Site.
Login Name	This is the Login Name of the User policy.
Full Name	This is the Full Name of the User policy.
Email Address	This is the Email Address of the User policy.
Note	This is the Note of the User policy.

There is a menu button on the right end of each row in the list, and clicking it displays the Issue menu.

Table 10: Function of the menu
Button Name	Description
Issue	The Issue Certificate dialog for issuing a Client Certificate appears.

Issue Certificate

Issue a Client Certificate in the Issue Certificate dialog.

Table 11: Issue Certificate
Item / Button Name	Mandatory	Format	Description
Certificate password	−	−	Set the Certificate Password. Select from Not set, Use user password, or Configure password. If Use user password is selected, the user password created on the Policy Management > User page is used.
Password	×	Max 63 characters	Displayed when Configure password is selected. Set the Certificate Password.
"Cancel" button	−	−	Cancel issuing a Client Certificate.
"Issue" button	−	−	Issue a Client Certificate.

Note
If multiple entries are selected and “Set password” is specified when issuing Client Certificates, the same password is used for the Client Certificates issued for all selected entries.

Emails Sent

The format of the Email to be sent is as follows.
◼ Subject

AT-RADgate certificate download page

◼ Body

You can access the certificate download page of AT‑RADgate from the link below.
　
https://(AT-RADgate's IP Address):9000

Clicking the link displays the AT-RADgate Download Certificate page.

AT-RADgate Download Certificate

This is the page displayed when you click the URL of the Cert Distribution Site. You can download the CA Certificate and more.

Table 12: AT-RADgate Download Certificate
Item / Button Name	Description
"Login" button	You can check the contents of the Client Certificate. When you click it, the Login page is displayed, and you enter the Login Name and password registered in the User policy (not the Login Account). If the login is successful, it switches to the After Login page.
CA Certificate
"Download" button	Download the Certificate (PEM format).
Certificate Revocation List (CRL)
"Download" button	Download the Certificate Revocation List (CRL).
Client Certificate
"Login" button	You can check the contents of the Client Certificate. When you click it, the Login page is displayed, and you enter the Login Name and password registered in the User policy (not the Login Account). If the login is successful, it switches to the After Login page.

AT-RADgate Download Certificate (After Login)

When the login is successful, the list of Client Certificates appears.

Table 13: AT-RADgate Download Certificate (After Login)
Item / Button Name	Description
User Name (in the above example page, “user1”)	Clicking this displays the "Logout" submenu. Click the “Logout” submenu to return to the page before Login.
CA Certificate
"Download" button	Download the Certificate (PEM format).
Certificate Revocation List (CRL)
"Download" button	Download the Certificate Revocation List (CRL).
Client Certificate
"Reload" button	Update the certificate status to the latest information.
Status	The Certificate status is displayed with icons for Valid, Revoked, Disabled, and Expired. “Disabled” indicates that the Certificate is in a state before its effective date.
Common Name (CN)	The value of the certificate's Common Name field.
Effective Date	The certificate's effective date.
Expire Date	The expiration date of the certificate.
Menu button	At the far right of each row in the list there is a menu button that allows you to manage the Certificate for that row. Detail: Display the detailed information of the Certificate. Download: Download the Certificate (PKCS#12 format).

About CA

CA Management > CA Management (When a Local CA Is Registered) > About CA

You can display or delete the contents of the CA Certificate.

Table 14: About CA
Item / Button Name	Description
"CA Management" button	The CA Management (When a Local CA Is Registered) page appears again.
CA Certificate
Role	The service name for which the certificate is used.
Common Name (CN)	The value of the certificate's Common Name field.
Effective Date	The certificate's effective date.
Expire Date	The expiration date of the certificate.
"Detail" button	Display the Certificate details.
"Download" button	Download the Certificate (PEM format).
Certificate Revocation List (CRL)
"Download" button	Download the Certificate Revocation List (CRL).
Delete Certificate Authority
"Delete" button	Local CA is deleted. When you click it, a confirmation dialog appears. If you want to delete the Local CA, click the "OK" button.

C613-04220-00 Rev A

02 Apr 2026 08:03