Remove identifiable information in Certificate Manager

This task requires that:

• The Certificate Controller (CC) is running.
  
• The officer has the following role:

  • Manage user data retention
    

• Enough information is known to identify the user.

• There must be no certificates for the user's subject that are bound to an officer, that are still active or revoked as 'On hold'. All X.509 certificates bound to the user must be either revoked or expired. This requirement does not apply to certificates that are of another type than X.509, for example, PGP and CVC, as they can be removed at any given time.

1. To locate the user's certificate, enter the search criteria in the CC user interface in Certificate Manager in the Search pane and click Search. The matching certificate(s) will appear in the upper half of the result pane.

2. Open the Action drop down list and select operation Remove Subject.

3. Select certificates in the upper half of the result pane. (Press the Ctrl key on the keyboard to make multiple selections.)

4. Click Add to move the certificate(s) to the lower half of the result pane.

5. Click Submit.

6. Enter your PIN code in Signature PIN.
7. Click OK.
   

• The effect of performing the task is that the subject data will be overwritten with empty values and "-- REMOVED --".
• Already issued certificates will not be changed or removed, since they may still be required for the CA to fulfil its operational obligations.
• After performing this task, searching for the subject data will no longer show the related certificates.
• Keep in mind that one user can have several subjects, for example when a user has changed department.
• If CM is running in multi-tenant mode with multiple configured domains, keep in mind that the user may have certificates in more than one domain with the same subject. In that case, all the user's certificates in all domains must be either revoked or expired before the subject can be removed.