The Pre-Certificate Revocation Service is useful when Certificate Transparency (CT) is being used. It detects when a pre-certificate has been issued, but the final certificate did not get issued. In such cases, it revokes the pre-certificate. This can happen, for example, if there is a power outage after the pre-certificate has been generated, but before the final certificate has been written to the database.
Without the Pre-Certificate Revocation Service, the serial numbers of the affected pre-certificates will be considered non-existent by EJBCA. As such, they will, with the default settings, return Unauthorized from OCSP.
The Pre-Certificate Revocation Service is only needed when using CT in certificates. It is not needed when CT is only used in OCSP responses or TLS extensions.
The following lists configurable fields:
Field
Description
Consider issuance failed after
Pre-certificates without a final certificate will be considered to have failed issuance, and be revoked, after this amount of time.
Do not set the value lower than the maximum time it could possibly take to issue a certificate (excluding publishing).