{!isLast &&

}

{label}

{time &&

{time}

}

); } function DeploymentTimeline({ certId, certStatus, createdAt, issuedAt }: { certId: string; certStatus: string; createdAt: string; issuedAt?: string }) { const { data: jobsData } = useQuery({ queryKey: ['jobs', { certificate_id: certId }], queryFn: () => getJobs({ certificate_id: certId }), }); const jobs = jobsData?.data || []; const issuanceJobs = jobs.filter((j: Job) => j.type === 'Issuance' || j.type === 'Renewal'); const deployJobs = jobs.filter((j: Job) => j.type === 'Deployment'); const latestIssuance = issuanceJobs[0]; const latestDeploy = deployJobs[0]; // Determine step statuses const getRequestedStatus = () => 'completed' as const; const getRequestedTime = () => formatDateTime(createdAt); const getIssuedStatus = () => { if (issuedAt) return 'completed' as const; if (latestIssuance?.status === 'Running' || latestIssuance?.status === 'AwaitingCSR' || latestIssuance?.status === 'AwaitingApproval') return 'active' as const; if (latestIssuance?.status === 'Failed') return 'failed' as const; return 'pending' as const; }; const getIssuedTime = () => { if (issuedAt) return formatDateTime(issuedAt); if (latestIssuance) return `${latestIssuance.status} — ${timeAgo(latestIssuance.created_at)}`; return undefined; }; const getDeployStatus = () => { if (!issuedAt) return 'pending' as const; if (latestDeploy?.status === 'Completed') return 'completed' as const; if (latestDeploy?.status === 'Running') return 'active' as const; if (latestDeploy?.status === 'Failed') return 'failed' as const; if (latestDeploy?.status === 'Pending') return 'active' as const; return 'pending' as const; }; const getDeployTime = () => { if (latestDeploy?.status === 'Completed') return formatDateTime(latestDeploy.completed_at); if (latestDeploy) return `${latestDeploy.status} — ${timeAgo(latestDeploy.created_at)}`; return undefined; }; // Verification step (M25: post-deployment TLS verification) const getVerifiedStatus = () => { if (!latestDeploy || latestDeploy.status !== 'Completed') return 'pending' as const; if (latestDeploy.verification_status === 'success') return 'completed' as const; if (latestDeploy.verification_status === 'failed') return 'failed' as const; if (latestDeploy.verification_status === 'skipped') return 'completed' as const; if (latestDeploy.verification_status === 'pending') return 'active' as const; return 'pending' as const; }; const getVerifiedTime = () => { if (!latestDeploy || latestDeploy.status !== 'Completed') return undefined; if (latestDeploy.verification_status === 'success' && latestDeploy.verified_at) { return `Verified ${formatDateTime(latestDeploy.verified_at)}`; } if (latestDeploy.verification_status === 'failed') { return latestDeploy.verification_error || 'Verification failed'; } if (latestDeploy.verification_status === 'skipped') return 'Skipped (best-effort)'; if (latestDeploy.verification_status === 'pending') return 'Awaiting verification'; return undefined; }; const getActiveStatus = () => { if (certStatus === 'Active') return 'completed' as const; if (certStatus === 'Revoked') return 'failed' as const; if (certStatus === 'Expired') return 'failed' as const; if (latestDeploy?.status === 'Completed') return 'completed' as const; return 'pending' as const; }; const getActiveTime = () => { if (certStatus === 'Revoked') return 'Revoked'; if (certStatus === 'Expired') return 'Expired'; if (certStatus === 'Active') return 'Currently active'; return undefined; }; // Only show verification step if deployment has completed and verification data exists const showVerificationStep = latestDeploy?.status === 'Completed' && latestDeploy?.verification_status; return (

Lifecycle Timeline

{showVerificationStep && ( )}

); } // CRL/OCSP-Responder Phase 5: Revocation Endpoints panel. // // Surfaces the standards-compliant revocation URLs (CRL distribution point // per RFC 5280 §4.2.1.13, OCSP responder per RFC 6960 §A.1) for relying // parties that don't already know certctl's well-known scheme. Both endpoints // live under /.well-known/pki/ and run unauthenticated — relying-party clients // should never need a Bearer key to check revocation status. // // The "Test CRL fetch" / "Check OCSP status" buttons exercise the same // network path the CRL/OCSP responders advertise via the AIA + CDP // extensions on issued leaves, so an operator confirming "did Phase 4 // actually wire end-to-end?" can do it without curl. Failures bubble up // as inline error text rather than throwing a global error boundary. // // The cache-age badge is admin-only (gated client-side AND server-side; the // server returns 403 for non-admin even if the GUI bug-clicks the fetch). // Stale rows render in amber per the IsStale flag (next_update < now). Rows // missing entirely (issuer never had a CRL pre-generated) render the neutral // "Not yet generated" pill. function RevocationEndpointsCard({ issuerId, serialNumber }: { issuerId: string; serialNumber?: string }) { const { admin } = useAuth(); const [crlState, setCrlState] = useState<{ status: 'idle' | 'loading' | 'ok' | 'err'; msg?: string }>({ status: 'idle' }); const [ocspState, setOcspState] = useState<{ status: 'idle' | 'loading' | 'ok' | 'err'; msg?: string }>({ status: 'idle' }); // Build the absolute URLs from window.location so operators can copy-paste // them straight into curl / openssl. Using window.location keeps the URLs // honest under reverse-proxy deployments where the perceived host differs // from what the dev sees in their browser bar — the location object is the // ground truth for "what URL does the relying party hit?". const origin = typeof window !== 'undefined' ? window.location.origin : ''; const crlURL = `${origin}/.well-known/pki/crl/${issuerId}`; // OCSP per RFC 6960 §A.1.1 supports both POST (preferred for CSR-style // requests) and the GET form with base64-url(DER) in the path. The GUI's // "Check OCSP status" button uses the simpler /{issuer}/{serial_hex} // helper certctl exposes alongside the standards endpoint — that's what // getOCSPStatus() in client.ts hits. const ocspURL = `${origin}/.well-known/pki/ocsp/${issuerId}`; // Admin-only: pull the cache row for this issuer so we can show // "generated 2m ago / next update 58m" with a stale-warning chip. const { data: cacheData } = useQuery({ queryKey: ['admin-crl-cache'], queryFn: () => getAdminCRLCache(), enabled: admin, // Refresh a touch faster than the default scheduler interval (1h) so // the badge feels live during ops investigation. Falls back gracefully // if the user navigates away before the next tick. refetchInterval: 60_000, retry: false, }); const issuerRow: CRLCacheRow | undefined = cacheData?.cache_rows?.find(r => r.issuer_id === issuerId); const handleTestCRL = async () => { setCrlState({ status: 'loading' }); try { const r = await fetchCRL(issuerId); setCrlState({ status: 'ok', msg: `OK — ${r.byteLength.toLocaleString()} bytes (${r.contentType || 'no content-type'})` }); } catch (e) { setCrlState({ status: 'err', msg: e instanceof Error ? e.message : 'Fetch failed' }); } }; const handleCheckOCSP = async () => { if (!serialNumber) { setOcspState({ status: 'err', msg: 'Serial number unavailable — cert has not been issued yet.' }); return; } setOcspState({ status: 'loading' }); try { const buf = await getOCSPStatus(issuerId, serialNumber); setOcspState({ status: 'ok', msg: `OCSP response received — ${buf.byteLength.toLocaleString()} bytes (DER)` }); } catch (e) { setOcspState({ status: 'err', msg: e instanceof Error ? e.message : 'OCSP request failed' }); } }; return (

Revocation Endpoints

{admin && ( issuerRow ? ( issuerRow.cache_present ? ( {issuerRow.is_stale ? 'Cache stale' : 'Cache fresh'} {issuerRow.generated_at ? ` · ${timeAgo(issuerRow.generated_at)}` : ''} ) : ( Not yet generated ) ) : null )}

CRL Distribution Point (RFC 5280 §4.2.1.13)

{crlURL}

{crlState.status === 'ok' && (

{crlState.msg}

)} {crlState.status === 'err' && (

{crlState.msg}

)}

OCSP Responder (RFC 6960 §A.1)

{ocspURL}

{ocspState.status === 'ok' && (

{ocspState.msg}

)} {ocspState.status === 'err' && (

{ocspState.msg}

)} {!serialNumber && ocspState.status === 'idle' && (

Serial number unavailable — issue the cert first.

)}

Both endpoints run unauthenticated under /.well-known/pki/ per RFC 8615 so relying parties can validate revocation without API keys. The CRL is pre-generated by the scheduler (configurable via CERTCTL_CRL_GENERATION_INTERVAL); OCSP is signed by the per-issuer responder cert (RFC 6960 §2.6).

); } function InlinePolicyEditor({ certId, currentPolicyId, currentProfileId }: { certId: string; currentPolicyId: string; currentProfileId: string }) { const [editing, setEditing] = useState(false); const [policyId, setPolicyId] = useState(currentPolicyId); const [profileId, setProfileId] = useState(currentProfileId); // G-1: swap from getPolicies (compliance rules, pol-*) to getRenewalPolicies // (lifecycle policies, rp-*). managed_certificates.renewal_policy_id FK // points at renewal_policies(id); the previous getPolicies call populated // the dropdown with pol-* IDs that would 400/23503 at the server. See also // OnboardingWizard.tsx:603 and CertificatesPage.tsx:53 for the sibling fixes. const { data: policies } = useQuery({ queryKey: ['renewal-policies'], queryFn: () => getRenewalPolicies(1, 500), enabled: editing, }); const { data: profiles } = useQuery({ queryKey: ['profiles'], queryFn: () => getProfiles(), enabled: editing, }); const saveMutation = useTrackedMutation({ mutationFn: () => updateCertificate(certId, { renewal_policy_id: policyId, certificate_profile_id: profileId, }), invalidates: [['certificate', certId]], onSuccess: () => { setEditing(false); }, }); if (!editing) { return (

Policy & Profile

); } return (

Edit Policy & Profile

{saveMutation.isError && (

{saveMutation.error instanceof Error ? saveMutation.error.message : 'Failed to save'}

)}

Renewal Policy

Certificate Profile

); } export default function CertificateDetailPage() { const { id } = useParams<{ id: string }>(); const navigate = useNavigate(); const [showDeploy, setShowDeploy] = useState(false); const [deployTargetId, setDeployTargetId] = useState(''); const [showRevoke, setShowRevoke] = useState(false); const [revokeReason, setRevokeReason] = useState('unspecified'); const [showExport, setShowExport] = useState(false); const [pkcs12Password, setPkcs12Password] = useState(''); const [exporting, setExporting] = useState(false); const { data: cert, isLoading, error, refetch } = useQuery({ queryKey: ['certificate', id], queryFn: () => getCertificate(id!), enabled: !!id, }); const { data: versions } = useQuery({ queryKey: ['certificate-versions', id], queryFn: () => getCertificateVersions(id!), enabled: !!id, }); const { data: targets } = useQuery({ queryKey: ['targets'], queryFn: () => getTargets(), enabled: showDeploy, }); // Fetch profile for EKU display (S/MIME, code signing badges) const { data: profile } = useQuery({ queryKey: ['profile', cert?.certificate_profile_id], queryFn: () => getProfile(cert!.certificate_profile_id), enabled: !!cert?.certificate_profile_id, }); const renewMutation = useTrackedMutation({ mutationFn: () => triggerRenewal(id!), invalidates: [['certificate', id], ['certificates']], }); const deployMutation = useTrackedMutation({ mutationFn: () => triggerDeployment(id!, deployTargetId), invalidates: [['certificate', id]], onSuccess: () => { setShowDeploy(false); setDeployTargetId(''); }, }); const archiveMutation = useTrackedMutation({ mutationFn: () => archiveCertificate(id!), invalidates: [['certificates']], onSuccess: () => { navigate('/certificates'); }, }); const revokeMutation = useTrackedMutation({ mutationFn: () => revokeCertificate(id!, revokeReason), invalidates: [['certificate', id], ['certificates']], onSuccess: () => { setShowRevoke(false); setRevokeReason('unspecified'); }, }); const handleExportPEM = async () => { setExporting(true); try { const blob = await downloadCertificatePEM(id!); const url = URL.createObjectURL(blob); const a = document.createElement('a'); a.href = url; a.download = `${cert?.common_name || id}.pem`; a.click(); URL.revokeObjectURL(url); } catch (err) { alert(`Export failed: ${err instanceof Error ? err.message : err}`); } finally { setExporting(false); } }; const handleExportPKCS12 = async () => { setExporting(true); try { const blob = await exportCertificatePKCS12(id!, pkcs12Password); const url = URL.createObjectURL(blob); const a = document.createElement('a'); a.href = url; a.download = `${cert?.common_name || id}.p12`; a.click(); URL.revokeObjectURL(url); setShowExport(false); setPkcs12Password(''); } catch (err) { alert(`Export failed: ${err instanceof Error ? err.message : err}`); } finally { setExporting(false); } }; if (isLoading) { return ( <>

); } if (error || !cert) { return ( <> refetch()} /> ); } // Derive certificate metadata from latest version. Per-issuance fields // (serial_number, fingerprint_sha256, key_algorithm, key_size, issued_at) // live on `CertificateVersion`, NOT on `ManagedCertificate` — the Go // domain has always been this way; the TS interface used to lie about // it via optional `cert.X?` declarations that always returned undefined // on list responses (D-5 / cat-f-ae0d06b6588f). Post-D-5 the TS type // makes the missing-data case explicit, and every read goes through // `latestVersion?.field` here. const latestVersion = versions?.data?.[0]; const serialNumber = latestVersion?.serial_number; const fingerprintSha256 = latestVersion?.fingerprint_sha256; const issuedAt = latestVersion?.not_before; const keyAlgorithm = latestVersion?.key_algorithm; const keySize = latestVersion?.key_size; const days = daysUntil(cert.expires_at); const isRevoked = cert.status === 'Revoked'; const isArchived = cert.status === 'Archived'; const canRevoke = !isRevoked && !isArchived; return ( <> {canRevoke && ( )} {!isArchived && ( )}

} />

{renewMutation.isSuccess && (

Renewal triggered successfully. A renewal job has been created.

)} {renewMutation.isError && (

Failed to trigger renewal: {renewMutation.error instanceof Error ? renewMutation.error.message : 'Unknown error'}

)} {deployMutation.isSuccess && (

Deployment triggered. A deployment job has been created.

)} {deployMutation.isError && (

Failed to deploy: {deployMutation.error instanceof Error ? deployMutation.error.message : 'Unknown error'}

)} {archiveMutation.isError && (

Failed to archive: {archiveMutation.error instanceof Error ? archiveMutation.error.message : 'Unknown error'}

)} {revokeMutation.isSuccess && (

Certificate revoked successfully. It has been added to the CRL.

)} {revokeMutation.isError && (

Failed to revoke: {revokeMutation.error instanceof Error ? revokeMutation.error.message : 'Unknown error'}

)} {/* Revocation Banner */} {isRevoked && (

Certificate Revoked

Reason: {REVOCATION_REASONS.find(r => r.value === cert.revocation_reason)?.label || cert.revocation_reason || 'Unspecified'} {cert.revoked_at && <> · Revoked {formatDateTime(cert.revoked_at)}}

)} {/* Deployment Status Timeline */}

{/* Certificate Info */}

Certificate Details

} /> {cert.sans.map((san, i) => { const isEmail = san.includes('@'); return ( {i > 0 && ', '} {isEmail ? ( email {san} ) : san} ); })} ) : '—'} /> {fingerprintSha256.slice(0, 24)}... : '—' } /> {/* D-4 (cat-f-cert_detail_page_key_render_fallback): mirror the latestVersion fallback used for serialNumber / fingerprintSha256 above. Pre-D-4 these rows accessed `cert.key_algorithm` / `cert.key_size` directly — both phantom Certificate fields per D-5 (cat-f-ae0d06b6588f), so the rows always rendered '—'. */} {profile?.allowed_ekus && profile.allowed_ekus.length > 0 && ( {profile.allowed_ekus.map(eku => { const ekuStyles: Record = { serverAuth: 'bg-blue-50 text-blue-700', clientAuth: 'bg-green-50 text-green-700', emailProtection: 'bg-purple-50 text-purple-700', codeSigning: 'bg-amber-50 text-amber-700', timeStamping: 'bg-teal-50 text-teal-700', }; const ekuLabels: Record = { serverAuth: 'TLS Server', clientAuth: 'TLS Client', emailProtection: 'S/MIME', codeSigning: 'Code Signing', timeStamping: 'Timestamping', }; return ( {ekuLabels[eku] || eku} ); })}

} /> )}

{/* Lifecycle */}

Lifecycle

{formatDate(cert.expires_at)} ({days <= 0 ? 'expired' : `${days} days`}) } /> {isRevoked && ( <> {cert.revoked_at ? formatDateTime(cert.revoked_at) : '—'} } /> {REVOCATION_REASONS.find(r => r.value === cert.revocation_reason)?.label || cert.revocation_reason || '—'} } /> )}

{/* Inline Policy Editor */} {/* Revocation Endpoints (CRL + OCSP) — Phase 5 */} {/* Tags */} {cert.tags && Object.keys(cert.tags).length > 0 && (

Version History {versions?.data?.length ? `(${versions.data.length})` : ''}

{!versions?.data?.length ? (

No versions yet

) : (

{versions.data.map((v, idx) => (

Version {versions.data.length - idx} {idx === 0 && Current}

{v.serial_number}

{formatDate(v.not_before)} — {formatDate(v.not_after)}

{formatDateTime(v.created_at)}

{idx > 0 && cert?.status !== 'Archived' && cert?.status !== 'Revoked' && ( )}

))}

)}

Lifecycle Timeline

Revocation Endpoints

Policy & Profile

Edit Policy & Profile

Certificate Details

Lifecycle

Tags

Version History {versions?.data?.length ? `(${versions.data.length})` : ''}

Deploy Certificate

Export PKCS#12

Revoke Certificate