Lifecycle Management
Lifecycle Management
Section titled “Lifecycle Management”CBOM tracks the lifecycle state of every cryptographic asset according to NIST SP 800-57 key management recommendations. Lifecycle states are stored on each asset and exported in CycloneDX output.
Lifecycle States
Section titled “Lifecycle States”| State | Description | Typical Use |
|---|---|---|
pre-activation | Generated but not yet in operational use | Keys awaiting deployment |
active | Currently in operational use | Production certificates and keys |
suspended | Temporarily removed from use | Under investigation or maintenance |
deactivated | Permanently removed from operational use | Retired after rotation |
compromised | Key material may have been exposed | Incident response |
destroyed | Cryptographically erased | End of life |
revoked | Certificate revoked by issuing CA | CA-initiated revocation |
State Diagram
Section titled “State Diagram”pre-activation → active → deactivated → destroyed ↓ ↑ suspended ─────┘ ↓ compromised → destroyed
active → revoked (certificates only)Managing Lifecycle State
Section titled “Managing Lifecycle State”From the Inventory
Section titled “From the Inventory”- Open an asset’s detail panel in Inventory
- Click the lifecycle state badge
- Select the new state
- Provide a reason (required for compromised/revoked)
- Confirm
State Change Reasons
Section titled “State Change Reasons”When transitioning to certain states, a reason is required:
| Transition | Example Reasons |
|---|---|
| → compromised | ”Key exposed in breach”, “Unauthorized access detected” |
| → revoked | ”CA revocation due to mis-issuance”, “Domain ownership change” |
| → deactivated | ”Rotation completed”, “Service decommissioned” |
| → destroyed | ”Compliance requirement”, “End of retention period” |
Automatic State Detection
Section titled “Automatic State Detection”Some lifecycle states are detected automatically by sensors:
- Certificates past expiration — Flagged but not auto-transitioned (expiration ≠ revocation)
- Revoked certificates — Detected via CRL/OCSP during TLS endpoint scanning
- New assets — Default to
activeunless explicitly set otherwise
Lifecycle in CycloneDX Export
Section titled “Lifecycle in CycloneDX Export”Lifecycle state is included in the CycloneDX export:
For certificates (via certificateProperties.certificateState):
{ "certificateProperties": { "certificateState": [{ "state": "compromised", "reason": "Key exposed in security incident" }] }}For keys (via relatedCryptoMaterialProperties.state):
{ "relatedCryptoMaterialProperties": { "type": "private-key", "state": "active" }}Lifecycle Filtering
Section titled “Lifecycle Filtering”Filter the inventory by lifecycle state to find:
- All compromised assets requiring remediation
- Pre-activation assets awaiting deployment
- Deactivated assets that can be cleaned up
- Active assets for compliance evaluation
Related
Section titled “Related”- Inventory — Where lifecycle states are displayed and managed
- Compliance — Policies can require specific lifecycle states
- Alerts — Alert on lifecycle state changes
- Import/Export — Lifecycle state in CycloneDX output