CA Hierarchy¶
In the UI the CA Hierarchy page provides a visual interface for browsing the Certificate Authority structure in the PKI system. It shows how Root CAs, Intermediate CAs, and Issuing CAs are organized and allows you to inspect detailed information about each CA.
Overview¶
The CA Hierarchy page is the starting point for exploring your PKI infrastructure. It displays a table listing all Root Certificate Authorities registered in the platform.
The table shows the following information for each root CA:
| Column | Description |
|---|---|
| Name | The CA name. Grouped roots show a badge with the number of roots in the group. |
| Status | Active or Revoked (color-coded) |
| Subject DN | The distinguished name of the CA |
| Hierarchy Depth | How many levels deep the CA hierarchy extends |
| Sub CAs | Number of subordinate certificate authorities |
| Actions | Menu to view the full hierarchy tree |
Root CAs that share the same root group (e.g., multiple SRK roots in an (A)HAB use case) are automatically grouped into a single row with aggregated metrics.
Tip
Click on any row to open the hierarchy tree dialog and see the full CA structure.
Hierarchy View¶
Clicking a root CA row opens a dialog displaying the full hierarchy tree. The tree visualizes the complete chain from the Root CA through Intermediate CAs down to Issuing CAs.
Tree Node Information¶
Each node in the tree displays:
- CA name — Name of the CA
- Status badge — Active (green) or Revoked (red)
- CA type badge — Root CA, Intermediate CA, or Issuing CA
- Subject DN — Subject Distinguished Name
- Key and Signature algorithm
- Validity period — Not Before and Not After dates
- Certificates issued — count of certificates issued by this CA (if any)
Interacting with the Tree¶
- Click any node to open a detail dialog with comprehensive technical information
- View Certificates — from the detail dialog, navigate to the certificates page filtered by that CA
- View Profile — from the detail dialog, navigate to the associated PKI profile
- Trust Chain — the detail dialog shows the full issuer chain from the selected CA up to the root
Note
For grouped roots (e.g., SRK groups), the tree dialog loads and displays all roots in the group simultaneously.
CA Types¶
Certificate Authorities are organized in three levels, each with a distinct visual style in the hierarchy tree:
| Type | Icon Color | Description |
|---|---|---|
| Root CA | Blue | The trust anchor at the top of the hierarchy. Self-signed certificates that establish the root of trust. |
| Intermediate CA | Purple | Mid-level CAs that bridge Root and Issuing CAs. Also called Sub CAs. |
| Issuing CA | Green | Leaf CAs that directly issue end-entity certificates to devices, users, or services. |
Status Indicators¶
| Status | Color | Meaning |
|---|---|---|
| Active | Green | The CA is valid and operational |
| Revoked | Red | The CA has been revoked and is no longer trusted |
CA Detail Information¶
When you click a CA node, the detail dialog shows two columns of technical information:
Identity & Certificate:
- CA type (Root, Intermediate, or Issuing)
- Serial number
- Subject DN
- Issuer DN
Technical Details:
- Key algorithm (e.g., RSA 2048, ECDSA P256)
- Signature algorithm
- Valid From / Valid Until dates
- Number of certificates issued
- CRL Expiry and CRL Issue Interval (if configured)
- Associated PKI profile
The detail dialog also displays the full trust chain — the complete issuer path from the selected CA up to the root.
Tip
Use the View Certificates button in the detail dialog to quickly find all certificates issued by a specific CA. This filters the certificates list by the CA's Authority Key Identifier (AKI).
For more information about configuring CA profiles, see PKI Profiles. For the full PKI technical documentation, see the PKI General Guide.