# Manage Certificate-based Authentication
<a name="certificate-based-authentication-manage"></a>

After you enable certificate-based authentication, review the following tasks.

**Topics**
+ [Private CA Certificate](certificate-based-authentication-manage-CA.md)
+ [End User Certificates](certificate-based-authentication-manage-certs.md)
+ [Audit Reports](certificate-based-authentication-manage-audit.md)
+ [Logging and Monitoring](certificate-based-authentication-manage-logging.md)

# Private CA Certificate
<a name="certificate-based-authentication-manage-CA"></a>

In a typical configuration, the private CA certificate has a validity period of 10 years. For more information about replacing a private CA with an expired certificate, or reissuing the private CA with a new validity period, see [Managing the private CA lifecycle ](https://docs.aws.amazon.com/privateca/latest/userguide/ca-lifecycle.html) 

# End User Certificates
<a name="certificate-based-authentication-manage-certs"></a>

End user certificates issued by AWS Private CA for WorkSpaces Applications certificate-based authentication don't require renewal or revocation. These certificates are short-lived. WorkSpaces Applications automatically issues a new certificate for each new session, or every 24 hours for sessions with a long duration. The WorkSpaces Applications session governs the use of these end user certificates. If you end a session, WorkSpaces Applications stops using that certificate. These end user certificates have a shorter validity period than a typical AWS Private CA CRL distribution. As a result, end user certificates don't need to be revoked and won't appear in a CRL. 

# Audit Reports
<a name="certificate-based-authentication-manage-audit"></a>

You can create an audit report to list all of the certificates that your private CA has issued or revoked. For more information, see [Using audit reports with your private CA](https://docs.aws.amazon.com/privateca/latest/userguide/PcaAuditReport.html).

# Logging and Monitoring
<a name="certificate-based-authentication-manage-logging"></a>

You can use CloudTrail to record API calls to a private CA by WorkSpaces Applications. For more information see [What Is AWS CloudTrail?](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and [Using CloudTrail](https://docs.aws.amazon.com/privateca/latest/userguide/PcaCtIntro.html). In CloudTrail Event history you can view **GetCertificate** and **IssueCertificate** event names from **acm-pca.amazonaws.com** event source made by the WorkSpaces Applications**EcmAssumeRoleSession** user name. These events will be recorded for every WorkSpaces Applications certificate-based authentication request. For more information, see [Viewing events with CloudTrail Event history](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/view-cloudtrail-events.html).