CA Management

References > CA Management

Local CA

This product includes a function that acts as a Certification Authority (CA) to issue electronic certificates (Local CA function).
The following functions are available in the Local CA.

Viewing and Downloading CA Certificate Details
Checking CA Certificate Validity and Sending Expiration Notification Emails
Viewing and Downloading Server Certificate Details for the Certificate Distribution Site
Issuing Client Certificates
Issuing Server Certificates
Sending Client Certificate Distribution Emails

Create a Local CA on the CA Management page.

Note
Certificates issued by AT-RADgate are supported only in configurations where AT-RADgate is used as a RADIUS Server.

Certificate Validity Check and Notification

The following processes are executed between 00:00:00 and 00:05:59 of the AT-RADgate system time.

Checking CA Certificate Expiry Date
Checking Expiry Date of Issued Certificates
Deleting Expired Certificates

The CA certificate displays a warning message in the log 28 days, 21 days, 14 days, 7 days, and 1 day before the expiry date.
In addition, if the following conditions are met, a warning message is sent by email.

The SMTP Server is configured (on the Email Settings page).
An email address is registered to the account (the Account Management page).
The account has the permission for "Allow to configure system settings" (the Account Management page).

If the CA certificate is also expired, a message is displayed in the log, and an email notification is sent when the conditions are met.

Issued server certificates and Client Certificates display a warning message in the log every day starting 7 days before the expiration date. And if the conditions are met, an Email Notification is also sent.
However, if the same user has another valid certificate, no warning message or Email Notification is generated.

If issued Server Certificates or Client Certificates become expired, no warning message or Email Notification is generated.
Expired Certificates are automatically deleted after 30 days.

Deleting Local CA

If the Local CA is deleted, the following functions become unavailable.

Viewing and Downloading CA Certificate Details
Viewing and downloading the details of the Server Certificate for the Cert Distribution Site
Issuing Client Certificates
Issuing Server Certificates
Sending Client Certificate Distribution Emails
All Certificates located in the management area of the CA

Note
Even if the Local CA is deleted, Certificates that have already been distributed to client nodes and other devices remain valid until their Expiry Date. In addition, Certificates that are in use by each function of AT‑RADgate are not deleted automatically.

The Local CA is deleted on the About CA page.

CA Management (When No Local CA Is Registered)

CA Management > CA Management (When No Local CA Is Registered)

Since no Local CA is registered by default, the following page is displayed.
When you click the “Create” button, the Create Certificate Authority dialog opens.

Create Certificate Authority

CA Management (When No Local CA Is Registered) > Create Certificate Authority

You create the Local CA in the “Create Certificate Authority” dialog.

Table 1: Create Certificate Authority
Item / Button Name	Mandatory	Format	Description
Common Name(CN)	×	String (Max 64 characters)	The value of the certificate's Common Name field.
Country (C)	−	String (Max 2 characters)	The country code.
State or Province (ST)	−	String (Max 128 characters)	The state or province name.
Locality (L)	−	String (Max 128 characters)	The locality name.
Organization(O)	−	String (Max 64 characters)	The Organization name.
Email Address	−	Email Address	The Email Address that identifies the Certificate owner. Normally, the contact information of the administrator or applicant is specified.
Public Key Type	×	−	Select the encryption algorithm to use from “RSA-4096”, “ECC P-256”, or “ECC P-384”. The default is “ECC P-384”.
Signature Hash Algorithm	×	−	Select the hash function used for signature generation from “SHA-256” or “SHA‑384”. The default is “SHA‑384”.
Validity Days	×	Integer (10-99999)	The Expiry Date (in days). The default is “3650 (days)”.
Domain name for certificate distribution site	−	String (Max 253 characters)	Domain name for certificate distribution site If not specified, the current AT‑RADgate Hostname is used.
"Cancel" button	−	−	Cancel the creation of the Local CA.
"Save" button	−	−	Create the Local CA.

Note
Using multibyte characters (e.g., Japanese or full-width characters) in field values is not supported.

CA Management (When a Local CA Is Registered)

CA Management > CA Management (When a Local CA Is Registered)

When the Local CA is registered, the CA Management page changes to the following display.

Certificate

CA Management > CA Management (When a Local CA Is Registered) > Certificate

On the “Certificate” tab, the Certificates issued by the Local CA are listed.

Table 2: Certificate
Item Name	Description
Status	Display the Certificate status using the icons for “Valid”, “Disabled”, and “Expired”. “Disabled” indicates that the Certificate is in a state before its effective date.
Common Name(CN)	The value of the certificate's Common Name field.
Effective Date	The certificate's effective date.
Expiry Date	The expiration date of the certificate.

The functions of each button at the top right of the page are as follows:

Table 3: Button Functions
Button Name	Description
"About CA" button	Open the About CA page.
Manage Columns	Changes the visibility of each column in the table.
Reload	Reload the Certificate list.
"Revoke" button	Note It is not supported in this version.

At the far right of each row in the list there is a menu button that allows you to manage the Certificate for that row.

Table 4: Functions of each menu
Button Name	Description
Detail	Display the Certificate details.
Download	Download the Certificate (PKCS#12 format).

Certificate profile

CA Management > CA Management (When a Local CA Is Registered) > Certificate profile

On the Certificate profile tab, you can edit the templates for Certificate issuance.
There are two types: “server” for Server Certificates and “client” for Client Certificates, and you cannot add or delete them. In addition, even if you edit the Certificate Profile, Certificates that have already been issued are not affected.

Table 5: Certificate profile
Item Name	Description
Name	Certificate profile name. “server” is the profile for Server Certificates, and “client” is the profile for Client Certificates.
Validity Days	The Expiry Date (in days).
Public Key Type	This is the cryptographic algorithm to be used.
Signature Hash Algorithm	This is the hash function used for signature generation.

The functions of each button at the top right of the page are as follows:

Table 6: Button Functions
Button Name	Description
"About CA" button	Open the About CA page.
Manage Columns	Changes the visibility of each column in the table.
Reload	Reload the Certificate Profile list.

At the far right of each row in the list there is a menu button that allows you to manage the Certificate profile for that row.

Table 7: Function of the menu
Button Name	Description
"Edit" button	Display the “Edit Certificate Profile” dialog for editing a Certificate profile.

Edit certificate profile

You can modify the settings of the Certificate profile.

Table 5: Edit certificate profile
Item / Button Name	Mandatory	Format	Description
Name	−	−	Certificate profile name. It is set to either “server” or “client”, and cannot be changed.
Country (C)	−	String (Max 2 characters)	The country code.
State or Province (ST)	−	String (Max 128 characters)	The state or province name.
Locality (L)	−	String (Max 128 characters)	The locality name.
Organization(O)	−	String (Max 64 characters)	The Organization name.
Email Address	−	Email Address	The Email Address that identifies the Certificate owner. Normally, the contact information of the administrator or applicant is specified.
Public Key Type	×	−	Select the encryption algorithm to use from “RSA-4096”, “ECC P-256”, or “ECC P-384”. The default is “ECC P-384”.
Signature Hash Algorithm	×	−	Select the hash function used for signature generation from “SHA-256” or “SHA‑384”. The default is “SHA‑384”.
Validity Days	×	Integer (10-99999)	The Expiry Date (in days). The default is “3650 (days)”.
"Cancel" button	−	−	Cancel the changes to the Certificate profile.
"Save" button	−	−	Save the changes to the Certificate profile.

Note
Using multibyte characters (e.g., Japanese or full-width characters) in field values is not supported.

User Cert Issue Tool

CA Management > CA Management (When a Local CA Is Registered) > User Cert Issue Tool

On the “User Cert Issue Tool” tab, the list of Users created in Policy Management > User is displayed, and you can issue a Client Certificate to a User.

Issuing Client Certificates
- The “Common Name (CN)” of the Certificate uses the Login Name from the User policy.
- If an Email Address is configured in User policy, it is reflected in the emailAddress field of the Certificate.
About Sending Notification Emails
- Notification Emails are sent to the Email Address registered in the User policy (they are not sent to the Email Address in the Certificate profile).
- If there is no valid SMTP Server configuration, Email sending fails.
- If no Certificate is issued to the User, Email sending is skipped.
- If no Email Address is configured in the User policy, Email sending is skipped.
- To prevent being flagged as spam during mass sending, the system inserts a 1‑second interval between each Email.

Table 5: User Cert Issue Tool
Item / Button Name	Description
"About CA" button	Open the About CA page.
"Issue" button	When the checkbox to the left of “Login Name” is selected, it becomes enabled, and clicking it issues a Client Certificate.
"Distribute" button	When the checkbox to the left of “Login Name” is selected, it becomes enabled, and clicking it sends an Email that notifies the URL of the Cert Distribution Site.
Login Name	This is the Login Name of the User policy.
Full Name	This is the Full Name of the User policy.
Email Address	This is the Email Address of the User policy.
Note	This is the Note of the User policy.

There is a menu button on the right end of each row in the list, and clicking it displays the Issue menu.

Table 10: Function of the menu
Button Name	Description
Issue	Issue a Client Certificate.

Emails Sent

The format of the Email to be sent is as follows.
◼ Subject

AT-RADgate certificate download page

◼ Body

You can access the certificate download page of AT‑RADgate from the link below.
　
https://(AT-RADgate's IP Address):9000

Clicking the link displays the AT-RADgate Download Certificate page.

AT-RADgate Download Certificate

This is the page displayed when you click the URL of the Cert Distribution Site. You can download the CA Certificate and more.

Table 11: AT-RADgate Download Certificate
Item / Button Name	Description
"Login" button	You can check the contents of the Client Certificate. When you click it, the login page is displayed, and you enter the Login Name and password registered in the User policy (not the Login Account). If the login is successful, it switches to the After Login page.
CA Certificate
"Download" button	Download the Certificate (PEM format).
Certificate Revocation List (CRL)
"Download" button	Note It is not supported in this version.
Client Certificate
"Login" button	You can check the contents of the Client Certificate. When you click it, the login page is displayed, and you enter the Login Name and password registered in the User policy (not the Login Account). If the login is successful, it switches to the After Login page.

AT-RADgate Download Certificate (After Login)

When the login is successful, the list of Client Certificates appears.

After LoginTable 11: AT-RADgate Download Certificate (After Login)
Item / Button Name	Description
User Name (in the above example page, “user1”)	Clicking this displays the "Logout" submenu. Click the “Logout” submenu to return to the page before Login.
CA Certificate
"Download" button	Download the Certificate (PEM format).
Certificate Revocation List (CRL)
"Download" button	Note It is not supported in this version.
Client Certificate
"Reload" button	Update the certificate status to the latest information.
Status	Display the Certificate status using the icons for “Valid”, “Disabled”, and “Expired”. “Disabled” indicates that the Certificate is in a state before its effective date.
Common Name(CN)	The value of the certificate's Common Name field.
Effective Date	The certificate's effective date.
Expiry Date	The expiration date of the certificate.
Menu button	At the far right of each row in the list there is a menu button that allows you to manage the Certificate for that row. Detail: Display the detailed information of the Certificate. Download: Download the Certificate (PKCS#12 format).

About CA

CA Management > CA Management (When a Local CA Is Registered) > About CA

You can display or delete the contents of the CA Certificate.

Table 13: About CA
Item / Button Name	Description
"CA Management" button	The CA Management (When a Local CA Is Registered) page appears again.
CA Certificate
Roles	The service name for which the certificate is used.
Common Name(CN)	The value of the certificate's Common Name field.
Effective Date	The certificate's effective date.
Expiry Date	The expiration date of the certificate.
"Detail" button	Display the Certificate details.
"Download" button	Download the Certificate (PEM format).
Certificate Revocation List (CRL)
"Download" button	Note It is not supported in this version.
Delete Certificate Authority
"Delete" button	Local CA is deleted. When you click it, a confirmation dialog appears. If you want to delete the Local CA, click the "OK" button.

C613-04219-00 Rev A

29 Jan 2026 17:20