The TPS stores the complete history of certificates' status, so that all changes in status can be reviewed. However, the status shown on the token is that last status of the certificate at the time the token was formatted. The status of the certificates on the token may not immediately reflect the real status of the certificates. It is possible to have multiple tokens with the same certificate information on them; it then is possible for the certificate status on these tokens to become out of sync with the status information in the CA database. When viewing these tokens in the TPS agents page, then, the certificate information can be inconsistent.

For example, Token #1 has two certificates stored on it, an encryption certificate (Encrypt #1) and a signing certificate (Signing #1). If Token #1 is lost, then both of its certificates are revoked, so both Encrypt #1 and Signing #1 are marked as revoked. When the user is issued a new token, Token #2, then Encrypt #1 is recovered, and a new signing certificate, Signing #2, is issued. The status for the three certificates, then, is as follows:

If Token #1 is found, then the the certificates for Token #2 are revoked and the certificates for Token #1 are reactivated. The status for the three certificates, then, is as follows:

Through the TPS agent's page, however, viewing Token #1 shows Signing #1 is active; viewing Token #2 shows that Signing #1 is revoked. This is because that Signing #1 was still revoked when Token #2 was formatted, and that information was not updated when Token #1 was subsequently formatted.

To find the current status of certificates, view an active token, and list the certificates. Active tokens always have the most current certificate status. For information on listing certificates stored on tokens, see Section 9.3.3, “Listing Token Certificates”.