== Certificate Lifecycles and Key Management ==
The ''certificate lifecycle conists '' consists of many (but not necessarily all) of the followingevent:
# * '''Key Generation''' - The creation of the public/private key pair associated with the certificate
# * '''Identify Submission''' - The credentials of the party requested the certificate are submitted to the CA.
# * '''Registration''' - The request for a new certificate is registered by the CA.
# * '''Certification''' - Requesting party's identity is validated and a certificate is generated and digitally signed with the CA's digital signature.
# * '''Distribution''' - The certificate is published by the CA.
# * '''Usage''' - The requesting party uses the certificate for the authorized purpose.
# * '''Expiration''' - Unless renewed or revoked, the certificate expires based on the expiration date built into the certificate at generation time.
# * '''Revocation''' - At any time prior to expiration a certificate may be revoked (for example if it is being used for malicious purposes or the private key is compromised).
# * '''Renewal''' - At the request of the owner a certificate may be renewed by the CA. This process requires the generation of a new public/private key pair.
# * '''Suspension''' - The certificate is temporarily suspended, for example is a user goes on sabbatical and does not plan to use the certificate during this period of time.
# * '''Recovery''' - The process of recovering the key pair from a backup in the event of corruption (in order to qualify for recovery the keys must be considered to still be trusted and valid).
# * '''Destruction''' - When the key and certificate lifetimes expire and a suitable period of time has elapsed to avoid receiving information encrypted using the keys (a period known as the ''key history maintenance'' period) it is essential that all copies be destroyed from any locations where they might have been stored. For examle, copies on workstations, laptops servers, key servers and removable media) must be deleted. == Centralized and Decentralized Infrastructures == The key pairs used in a PKI are generated using ''centralized'' or ''decentralized'' methods. The choice of approach typically depends of an organizations security policy. Keys that are generated and stored on local computer systems for use by those systems are said to conform to the decentralized approach. Keys that are generated by a central server and transmitted to hosts on an as-needed basis are referred to ''centralized''. It is important to note that these distinctions are not necessarily mutually exclusive and that there is room for some overlap. For example, in a decentralized environment it is still possible for the keys to be generated by the local system, and the public key then provided to the central server for the creation and distribution of the corresponding certificate.