About certificate object settings
The certificate object provides the information Trust Protection Platform needs to monitor, enroll, and provision network certificates.
Additionally, consider managing certificate object settings via policy. For more information, see Using policies to manage encryption assets.
The following table describes the configuration settings for a network certificate object. The second column indicates if the setting may also be managed via Policy.
Field |
Policy |
Description |
||||||||||||||||||||||||||||
Refresh |
n/a |
Refreshes the contents of the current page. |
||||||||||||||||||||||||||||
|
n/a |
Prints the contents of the current Detail View. |
||||||||||||||||||||||||||||
Certificate Tab |
||||||||||||||||||||||||||||||
Summary Tab |
Provides a snapshot of the current certificate. It lists the certificate status, all associated applications, the certificate signature chain, and the certificate details. Any user with the write permission to the certificate can access all of the options in the Certificate Summary tab and view all summary data, including information about the certificate’s associated applications regardless of whether the user has permissions to the associated applications themselves. For more information, see About a certificate's summary (Policy Tree). |
|||||||||||||||||||||||||||||
Restart |
n/a |
Clears all errors and stages on the certificate and its associated application(s), then restarts processing from the beginning. In Policy Tree, this option is available under Fix > Restart Processing from the Beginning. This option is provided for circumstances in which the certificate or application was misconfigured. This option allows you to restart the certificate processing so the correct information can be used. For example, if you misspelled the certificate’s common name, you could correct the spelling error, then restart the renewal process so the change is reflected in the new certificate. You can use the Restart option at any point during the renewal process. This option is relevant only to certificates managed under Enrollment or Provisioning. For more information, see About clearing certificate workflow errors. |
||||||||||||||||||||||||||||
Retry |
n/a |
Clears the certificate error, then retries the last processing stage. In Policy Tree, this option is available under Fix > Retry Last Failed Operation. If the certificate is currently in an error state, this option clears the error, then queues the certificate to retry the current stage. For example, if a certificate was configured with an invalid CA template, you could reconfigure the CA template, and then click Retry to resume the renewal process. If there is an error on the certificate’s associated application(s), then Trust Protection Platform reattempts to install the certificate on the associated application(s). Disabled applications are skipped. This option is available only for certificates managed under Enrollment or Provisioning. For more information, see About clearing certificate workflow errors. |
||||||||||||||||||||||||||||
Reset |
n/a |
Clears errors and stages on the certificate and its associated applications, then stops processing. In Policy Tree, this option is available under Fix > Reset Errors and Stop Operation. This option is provided for circumstances in which there is an error at some stage of the certificate lifecycle and you decide to abort the current renewal process. For example, if a certificate completed the enrollment process, but failed when installing on one of the associated applications, you could manually install the certificate on the application, and then click Reset to clear the error. In this instance, no further processing would be necessary. This option is relevant only to certificates managed under Enrollment or Provisioning. For more information, see About clearing certificate workflow errors. |
||||||||||||||||||||||||||||
Validate Now |
n/a |
Instantly runs a validation check on the current certificate according to the settings configured in the object’s Validation tab. For more information on Certificate object validation, see About certificate and application validation. |
||||||||||||||||||||||||||||
Revoke/Revoke and Disable |
n/a |
The Revoke option submits a revocation request to the certificate CA. The Revoke and Disable option sends a revocation request to the certificate CA and disables the current Certificate object. If you disable the Certificate object, Trust Protection Platform stops all certificate processing—that is, it will not monitor, enroll, or provision the certificate. For more information, see About revoking certificates manually. |
||||||||||||||||||||||||||||
Change Certificate Type |
n/a |
Allows you to change the certificate type of a certificate in case it is misclassified. To see a list of certificate types, see Overview of certificate types. |
||||||||||||||||||||||||||||
Certificate Status |
||||||||||||||||||||||||||||||
Status |
n/a |
Just below the Certificate Status title bar, Trust Protection Platform displays the current status of the certificate object, including the following common messages: There is no processing and the certificate is working. The certificate is being processed. The status field provides a description of what is happening. There is a problem and the certificate is not functioning. The status field provides a description of the problem. Workflow request has been rejected. |
||||||||||||||||||||||||||||
Processing Stage |
n/a |
If the certificate is currently under processing, Trust Protection Platform indicates the current stage of the certificate lifecycle. For example, if Trust Protection Platform is currently waiting to retrieve the certificate from the CA, it displays the following:
If the certificate is not currently under processing, the processing stage is “None.” If processing is disabled on the application, the processing stage is “n/a” (not applicable). The processing stages listed are specific to each device. For more information, see About certificate lifecycle management. |
||||||||||||||||||||||||||||
Certificate Processing |
n/a |
Indicates if the certificate processing is enabled or disabled. If the Certificate object is disabled, Trust Protection Platform does not monitor, validate, enroll, or provision the certificate. Certificate Processing is enabled or disabled on the Settings tab. |
||||||||||||||||||||||||||||
Expiration Date |
n/a |
The date the certificate expires. |
||||||||||||||||||||||||||||
Last Validation |
n/a |
Time and date of the last validation. |
||||||||||||||||||||||||||||
Network Result |
n/a |
Result of the most recent Network Validation. |
||||||||||||||||||||||||||||
Associated Applications |
n/a |
All applications where the current certificate is installed. |
||||||||||||||||||||||||||||
Settings Tab |
||||||||||||||||||||||||||||||
Renew Now |
n/a |
Queues the certificate for renewal. Error and status attributes are cleared on the certificate and its associated application(s). NOTE This option is available only for certificates managed under Enrollment or Provisioning. In order for Trust Protection Platform to automatically renew a certificate, the Processing Disabled option must not be selected. In Policy Tree, the Renew Now option is available in the Certificate Summary page. In Policy Tree, the Renew Now option is available in the Certificate Settings page. Trust Protection Platform only attempts the renewal; it does not revoke the existing certificate. For information on revoking a certificate, see About revoking certificates manually. A user must have write permissions to manually restart a certificate renewal. For more information, see Renewing a certificate manually. |
||||||||||||||||||||||||||||
Download |
n/a |
This option is available only in Policy Tree. Downloads the certificate and, optionally, the private key and root chain from the Trust Protection Platform database and allows you to save it to a Base64, DER, PKCS#7, or PKCS#12 formatted file. If you select PKCS#12 format, you can define a password that will be required to access the downloaded certificate and private key. For more information, see Downloading certificates, private keys, and root chains. |
||||||||||||||||||||||||||||
Import |
n/a |
This option is available only in Policy Tree. Allows you to copy and paste a Base64-encoded certificate file (and, optionally, the private key) into Policy Tree. Trust Protection Platform automatically populates the certificate object with the certificate data and, when you save the certificate object, it archives the certificate file in the Trust Protection Platform database. If the uploaded certificate includes the private key, you must specify the password required to access the private key. You must have the view and write permissions to the certificate object to import a certificate. If the certificate is in a format that includes the private key, you must also have the Private Key Write permission to the certificate object. For more information, see Importing an existing certificate. |
||||||||||||||||||||||||||||
Retrieve Certificate |
n/a |
This option is available only in Policy Tree. Retrieves the certificate from a designated host or IP address and port. Trust Protection Platform supports both IPv4 and IPv6 connections. If the current certificate is managed at the Monitoring level, you can use this option to update the certificate in the Trust Protection Platform database after you have manually renewed the certificate on the target device. You can set up a Notification to alert you when the certificate has been updated on the target application. For more information on this configuration, see Review validation results. If the current certificate is managed at the Enrollment or Provisioning levels, you can use this option to retrieve the certificate from the CA. You must have the view and write permissions to the certificate object to retrieve a certificate. For more information, see Retrieving certificates. |
||||||||||||||||||||||||||||
General Information |
||||||||||||||||||||||||||||||
Certificate Name |
No |
Unique name for the certificate object. This is a mandatory field. |
||||||||||||||||||||||||||||
Description |
No |
Use to describe what the certificate is used for. |
||||||||||||||||||||||||||||
Contact |
|
User or group Identities assigned to this object.Default system notifications are sent to the contact identities. Default contact = master administrator To select the object contacts
|
||||||||||||||||||||||||||||
|
|
You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
Approver |
|
User or group Identities assigned to approve workflows (certificate approval or injection command) for the current certificate object. For more information on defining workflow objects, see Workflow management. Default approver = master administrator To select the Certificate object approvers
|
||||||||||||||||||||||||||||
Processing Disabled |
No |
Disables monitoring, enrollment, and provisioning of the current certificate. This means that Trust Protection Platform does not generate notifications, validate, or attempt renewal for the current Certificate object. This option is useful when you are building the certificate configuration but it is not yet complete. Select Processing Disabled to disable the object until you’re ready for it to be active. In this way, you can avoid system processing errors due to an incomplete configuration. |
||||||||||||||||||||||||||||
|
Level where subordinate certificates are to be managed. Change a certificate's management type. Trust Protection Platform provides the following levels of certificate management for Kubernetes Policy, Cluster, and Namespace objects:
You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. |
|||||||||||||||||||||||||||||
CSR Generation |
|
Determines how CSRs are generated.
Trust Protection Platform always generates CSRs in compliance with the certificate object’s current parent policy. If the CSR is user-submitted, Trust Protection Platform does not accept the CSR unless it is “in policy.” You can manage this setting at the policy level. To configure the setting via policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
Generate Key/CSR on Application |
|
Determines where the CSR and the private key are generated. If you do not select this option, the CSR and the private key are centrally generated on the Trust Protection Platform server, then securely copied to the application. If you do select this option, the CSR and the private key are locally generated on the application’s server. In the case of central generation, the certificate and private key are archived in the Trust Protection Platform database. However, for remote generation, only the certificate is stored in the database. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. IMPORTANT When one or more of the following items are true, Remote Generation is not supported and, therefore, the Generate Key/CSR on Application setting is ignored.
|
||||||||||||||||||||||||||||
Hash Algorithm
|
For the certificate signing request, choose either SHA-1 or SHA-256. |
|||||||||||||||||||||||||||||
Upload CSR |
No |
Allows the administrator to paste the CSR data or upload a CSR file to the Trust Protection Platform database. The CSR file must be Base64 encoded. If User Provided CSR is selected, then the uploaded CSR values must adhere to the policy before they are applied to the Certificate object. If they do adhere to the policy, they are added to the certificate and stored in the Trust Protection Platform database when the Certificate object is saved. For more information, see Manually uploading the CSR. If the CSR is user provided, you may also want to upload the private key so it is archived in the Trust Protection Platform database. Trust Protection Platform must have a copy of the certificate’s private key to provision certificates and key pairs. For more information, see Manually Uploading the Private Key. |
||||||||||||||||||||||||||||
Subject DN |
|
|
||||||||||||||||||||||||||||
Common Name |
No |
Typically, the fully qualified domain name. |
||||||||||||||||||||||||||||
|
No
|
The DNS-based Subject Alt Name(s) (SANs) associated with the current certificate. Trust Protection Platform includes the SANs in the certificate CSR. If the CA does not accept SAN entries in the CSR (RedHat is the only currently supported CA that does not accept SAN entries in the CSR), then Trust Protection Platform provides the SAN values to the CA out-of-band during the certificate approval process. If the certificate requires manual approval, Venafi TLS Protect does not include the SAN values in the CSR. Instead, it notifies the approver to provide the DNS SAN values when approving the certificate. To enable Venafi TLS Protect to provision SAN certificates, your configuration must meet the following criteria: Verify that your CA supports DNS-based SAN values. NOTE DNS SANs are included in the Unified Communications Certificates that are used with Microsoft Exchange 2007 and Microsoft Office Communications Server. If you use Microsoft, RedHat, or Symantec CAs, you must verify the SAN feature is enabled on your CA engine. If you enter a SAN value but the SAN feature is not enabled on your CA, the CA returns the following error when Venafi TLS Protect attempts to submit the CSR: Stage 400 (Creating CSR) SubjectAltName not supported by Application and CA. The Subject Alt Name Enabled option must be enabled on the certificate’s associated CA template object; otherwise, the CA template object will not accept CSRs with SAN values. For more information, see your associated CA template object configuration in CA integration setup. If you do not enable the Subject Alt Name Enabled option on the certificate’s associated CA template object, Trust Protection Platform returns the following error when it attempts to submit the CSR: Stage 400 (Creating CSR) SubjectAltName not supported by Application and CA. If you enable the Generate Key/CSR on Application option in the current Certificate object, you must verify that the Application driver for the certificate’s consumer applications can generate a CSR with SAN values. IMPORTANT At present, only the GSK application can generate a CSR with SAN values. To enable the GSKit 7.x driver to generate a CSR with SAN values, you must set the SAN support value to true in the ikminit.properties file as follows: DEFAULT_SUBJECT_ALTERNATIVE_NAME_SUPPORT=true The ikiminit.properties file may be written to several locations. Search for and change all instances of the file in the file system. The default locations are If you enable the Generate Key/CSR on Application option in the certificate object and the certificate’s consumer application is an Apache web server or other application that consumes a PEM file in a non-Windows environment, NetScaler device, or an F5 network appliance, then Venafi TLS Protect must provide the SAN values to the CA out-of-band. This is not a problem for Microsoft or RedHat certificates. However, the RSA Keon CA does not accept out-of-band values. If you enable the Generate Key/CSR on Application option in the certificate object and the certificate’s consumer application is a GSK keystore, but the SAN feature is not enabled on your CA, then the CA returns the following error: Create CSR failed with error: {0}, Subject Alternative Name support not enabled. The error message also provides information about what file needs to be modified to support SAN. |
||||||||||||||||||||||||||||
Organization |
|
Name that uniquely identifies the organization in the certificate. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
Organization Unit |
|
Department or division within the organization that is responsible for maintaining the certificate. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
City, State/Province, Country |
|
Location (city, state/province, and country) of your Organization or Organizational Unit. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
Domain Whitelist |
||||||||||||||||||||||||||||||
Allowed Domains |
Enter the suffix of allowed domains. Examples:
If you leave this field blank, ALL domains will be allowed. |
|||||||||||||||||||||||||||||
Allow Wildcards |
The default is Yes. Select No to prohibit wildcards. |
|||||||||||||||||||||||||||||
Allow Duplicate Common and Subject Alternate Names |
The default is Yes. Select No to require unique names. |
|||||||||||||||||||||||||||||
Private Key |
|
|
||||||||||||||||||||||||||||
Private Key Stored |
No |
Indicates whether Trust Protection Platform currently has a copy of the certificate’s private key—Yes or No. Trust Protection Platform must have a copy of the private key to provision certificates and key pairs. If Trust Protection Platform does not have a copy of the certificate’s private key, then you can do one of the following: Manually import the certificate and private key. For more information, see Manually Uploading the Private Key. If Automate Renewal is selected, you can wait until Trust Protection Platformrenews the certificate or click Renew Now to generate a new key pair. |
||||||||||||||||||||||||||||
Key Algorithm |
|
Choose either RSA or ECC (Elliptic Curve Cryptography). Depending on which one you choose, make a key strength or elliptic curve selection from the corresponding controls. To learn more about these cryptographies and see a comparison chart, see About RSA and elliptic curve cryptography (ECC) key algorithms. NOTE The most broadly supported elliptic curve is P256. The other curves, P384 and P521, may be rejected by some CAs that support ECC.
|
||||||||||||||||||||||||||||
Reuse Private Key |
|
Reuses the original private key when renewing the certificate. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
Key Strength (bits) |
|
Certificate’s key strength. If the key strength value conflicts with what the application can handle/requires, the application ignores the policy and sets the value accordingly. For example, if you set this value to 2048-bit encryption, but the target application cannot handle 2048-bit certificates, Trust Protection Platform generates the certificate CSR using 1024-bit encryption. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
Upload Private Key |
No |
Allows the administrator to paste the private key data or upload a private key file to the Trust Protection Platform database. The private key must be base64 encoded and you must specify the password required to access the private key. You must have the Ppivate key write, view, and write permissions to the Certificate object to upload a private key. If the CSR is user provided, you may also want to upload the private key so it is archived in the Trust Protection Platform database. Trust Protection Platform must have a copy of the certificate’s private key to provision certificates and key pairs. For more information, see Manually Uploading the Private Key. |
||||||||||||||||||||||||||||
Other Information |
|
You can manage the following settings at the policy level. To configure these settings via Policy, go to the Settings > Certificate tab in the Policy object configuration. The settings defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
CA template |
|
CA template object that Venafi TLS Protect references to generate the CSR and submit it to the CA. To select the CA template object
|
||||||||||||||||||||||||||||
Key Generation |
|
Encryption key used to generate the certificate’s private key. Trust Protection Platform uses either an AES-256 software encryption key or hardware keys stored on supported HSM devices to generate certificate private keys. For information on using your own encryption keys, see Working with system credentials. |
||||||||||||||||||||||||||||
Disable Automatic Renewal |
|
Disables automatic enrollment and provisioning for the current certificate. This means that Venafi TLS Protect will not attempt to renew or install the current certificate on its own. However, Venafi TLS Protect still provides monitoring, validation, and notification for the certificate object. Trust Protection Platform automatically selects this option when it renews a certificate in response to a SCEP request. For more information, see Certificate enrollment via SCEP protocol. |
||||||||||||||||||||||||||||
Renewal Window |
|
Number of days prior to expiration that Venafi TLS Protect begins the renewal operation. Recommended value = DID YOU KNOW? The default renewal window is 32 days for all newly created |
||||||||||||||||||||||||||||
Validity Period |
No |
Period of time (in years) that the certificate is valid. The options available in this menu are determined by the Available Validity Periods configured on the CA template object. |
||||||||||||||||||||||||||||
Server Type |
No |
Application where the certificate is installed. |
||||||||||||||||||||||||||||
Entrust Certificate Services Settings |
|
When you associate the Entrust Certificate Services template object configuration with the certificate object, you can define additional settings that are specific to the certificate. These settings are passed to the Entrust Certificate Services when Trust Protection Platform renews the certificate. In Policy Tree, you must click the Entrust Certificate Services tab to access the Entrust Certificate Services settings. For more information, see Entrust Certificate Services—certificate settings. |
||||||||||||||||||||||||||||
Settings |
|
|
||||||||||||||||||||||||||||
Validity Period |
No |
Period of time (in years) that the certificate is valid. The options available in this menu are determined by the Available Validity Periods configured in the Entrust Certificate Services template object configuration. |
||||||||||||||||||||||||||||
Number of Servers |
No |
Number of servers the current certificate may be installed on. |
||||||||||||||||||||||||||||
Certificate Owner |
|
Person the Entrust Certificate Services identifies as the certificate owner. |
||||||||||||||||||||||||||||
First Name |
No |
Certificate owner’s first name. |
||||||||||||||||||||||||||||
Last Name |
No |
Certificate owner’s last name. |
||||||||||||||||||||||||||||
|
No |
Certificate owner’s email address. |
||||||||||||||||||||||||||||
Telephone |
No |
Certificate owner’s telephone number. |
||||||||||||||||||||||||||||
RSA Keon Settings |
|
When you associate the RSA CA template object configuration with the Certificate object, you can define additional settings that are specific to the certificate. These settings are passed to the RSA Keon CA when Trust Protection Platform renews the certificate. In Policy Tree, you must go to the RSA tab to access the RSA Keon settings. For more information, see RSA Certificate Manager—certificate settings. |
||||||||||||||||||||||||||||
Validity Period |
No |
Period of time (in years) that the certificate is valid. The options available in this menu are determined by the Available Validity Periods configured in the RSA CA template object configuration. This option is available only if you select Override Default Key Update Policy. |
||||||||||||||||||||||||||||
Validity Period |
No |
Period of time (in years) that the certificate is valid. The options available in this menu are determined by the Available Validity Periods configured in the Thawte CA template object configuration. This option is available only if you select Override Default Key Update Policy. |
||||||||||||||||||||||||||||
Number of Servers |
No |
Number of servers where the current certificate may be installed. |
||||||||||||||||||||||||||||
Server Type |
No |
Application where the certificate is installed. |
||||||||||||||||||||||||||||
Issuance Settings
|
|
These settings define the certificate renewal parameters. |
||||||||||||||||||||||||||||
Validity Period (Years) |
No |
Period of time (in years) that the certificate is valid. |
||||||||||||||||||||||||||||
License Count |
No |
Number of licenses (i.e., concurrent installations) to be issued with the certificate. |
||||||||||||||||||||||||||||
Server Type |
No |
Type of server that the certificate is installed on. |
||||||||||||||||||||||||||||
Comment |
No |
Any information you want to store with the certificate. |
||||||||||||||||||||||||||||
Symantec Owner |
|
Defines the information for the Symantec Certificate Owner. |
||||||||||||||||||||||||||||
First Name |
No |
Symantec Certificate Owner’s first name. |
||||||||||||||||||||||||||||
Last Name |
No |
Symantec Certificate Owner’s last name. |
||||||||||||||||||||||||||||
|
No |
Symantec Certificate Owner’s email address. |
||||||||||||||||||||||||||||
Use Certificate Owner |
No |
Retrieves the Certificate object’s Contact Identity information. This option is available only in Policy Tree. |
||||||||||||||||||||||||||||
Additional Certificate Fields |
No |
Your certificate may include additional certificate fields. If the custom fields are required, you must define the fields in the Certificate object. |
||||||||||||||||||||||||||||
Associations Tab
|
No |
Lists the applications associated with the current certificate. When you associate an Application object with a certificate and enable processing, Venafi TLS Protect provisions the certificate and private key on the server where the application resides. For more information and details about the options available in the Associations tab, see Associating certificates with applications. |
||||||||||||||||||||||||||||
Compliance Tab
|
|
The Compliance tab provides an assessment of the certificate’s compliance with its parent folder. For more information, see Determining certificate compliance. |
||||||||||||||||||||||||||||
Certificate Value |
n/a |
The Certificate Value column lists the certificate values as they are currently defined in the certificate. Certificate Values are listed as being in or out of policy. |
||||||||||||||||||||||||||||
Renewal Value |
n/a |
The Renewal Value column lists the certificate values currently defined in the Certificate object. Renewal values also reflect policy status. |
||||||||||||||||||||||||||||
History Tab
|
n/a |
The Certificate History tab lists the common name, serial number, issuer, and valid dates for each edition of the certificate associated with the current Certificate object. Each time a new certificate is issued or an existing certificate is renewed, Venafi TLS Protect adds another entry to the Certificate object’s History tab. The Certificate History tab indicates the certificate(s) for which Trust Protection Platform has submitted a revocation request. For more information, see About Viewing Certificate History. |
||||||||||||||||||||||||||||
Revoke
|
n/a
|
Submits a revocation request to the certificate CA for previous versions of the certificate that have not yet expired. For example, if you renew a certificate several months before it expires, you could provision the certificate on all of its associated servers. Then, after ensuring everything is functioning properly, you could revoke all previous, valid versions of the certificate from the Certificate > History tab. For more information, see About revoking certificates manually. |
||||||||||||||||||||||||||||
Monitoring Tab |
|
The Monitoring tab defines the parameters for certificate expiration events. The recipients and delivery method (email, SNMP trap, etc.) for expiration notifications are defined in Notification and Channel objects. You must configure the channel and notification objects to send notifications for expiration events. For more information, see Managing certificate notifications. You can define monitoring settings at the policy level. To configure the certificate object’s monitoring settings, go to the Settings > Monitoring tab in the Policy object configuration. The certificate object monitoring settings defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object monitoring settings. |
||||||||||||||||||||||||||||
Settings |
|
|
||||||||||||||||||||||||||||
Disabled |
|
Disables monitoring for the current Certificate object. |
||||||||||||||||||||||||||||
Expiration Events |
|
|
||||||||||||||||||||||||||||
Start generating events |
|
Number of days before a certificate expires that you want to start generating expiration events. |
||||||||||||||||||||||||||||
Send event every |
|
Frequency (in days) at which you want Trust Protection Platform to generate expiration events. |
||||||||||||||||||||||||||||
Escalation Expiration Events |
||||||||||||||||||||||||||||||
Start escalating events |
|
Number of days before a certificate expires that you want to start generating escalated expiration events. |
||||||||||||||||||||||||||||
Send event every |
|
Frequency (in days) at which you want Trust Protection Platform to generate escalated expiration events. |
||||||||||||||||||||||||||||
Validation Tab |
|
Trust Protection Platform provides Network Validation for Certificate objects. During the Network Validation process, Trust Protection Platform sends an SSL request to the certificate’s server. If the server responds to the SSL request, Trust Protection Platform retrieves the certificate’s serial number and compares it to the certificate that Trust Protection Platform has archived for the corresponding Certificate object. The purpose of Network Validation is to confirm that the certificate is functional and to verify that the correct certificate is being used. If the server responds to the SSL request, Trust Protection Platform knows the certificate is functional. When it retrieves the certificate serial number, Trust Protection Platform can determine if the correct certificate is being used. When you enable Network Validation on the Certificate object, the Validation Manager module runs daily validation checks and reports the results on the object Summary and Validation tab. For more information, see About certificate and application validation. |
||||||||||||||||||||||||||||
Options |
|
|
||||||||||||||||||||||||||||
Disable |
No |
Disables all validation for the current Certificate object, including all validation-based notifications. |
||||||||||||||||||||||||||||
Network Settings |
|
The purpose of Network Validation is to confirm that the certificate is functional and to verify that the correct certificate is being used. Network Validation requires network access to the server where the application is installed. |
||||||||||||||||||||||||||||
Validation Disabled |
|
Disables Network Validation for the current Application object, including all related notifications. You can also disable Network Validation at the policy level. To disable Network Validation via Policy, go to the Settings > Certificate tab in the Policy object configuration. Disabling Network Validation in the Policy object disables Network Validation for all subordinate Network Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
Validation Host |
No |
Determines how Trust Protection Platform identifies the host server where the certificate is installed. Use Certificate Common Name: (Default) Uses a DNS lookup to resolve the certificate’s Common Name. It then validates the certificate at every IP address returned from the DNS lookup. Venafi TLS Protect can validate using both IPv4 and IPv6 connections. Specify Address: Allows you to specify a single IP address. |
||||||||||||||||||||||||||||
Hostname |
No |
IP address or hostname you want to validate. Venafi TLS Protect supports both IPv4 and IPv6 connections. This option is read only if you select Specify Address. |
||||||||||||||||||||||||||||
Port |
|
Port that the Validation Manager uses to connect to the server where the application is installed. The Validation Manager uses an SSL connection to validate the application’s associated certificate. The default port is 443. You can also set the validation port at the policy level. To set the validation port via Policy, go to the Settings > Certificate tab in the Policy object configuration. The validation port defined in the Policy object may be inherited by all subordinate Network Certificate objects. For more information, see Policy object certificate settings. |
||||||||||||||||||||||||||||
Status |
|
The following fields display the results of the last validation. These fields are informational only and cannot be edited. For more information on validation status messages, see Review validation results. |
||||||||||||||||||||||||||||
Last Validation |
n/a |
Time and date of the last validation. |
||||||||||||||||||||||||||||
Network Result |
n/a |
Result of the most recent Network Validation. |
||||||||||||||||||||||||||||
General Tab |
|
|
||||||||||||||||||||||||||||
Log Tab |
n/a |
Provides a view of all events triggered for the current object. An administrator must have a minimum of the Read permission to view this tab. For more information on the Log tab options, see Viewing log events. |
||||||||||||||||||||||||||||
Permissions tab |
n/a |
On the Permissions tab, you select the users or groups to whom you want to grant permissions to the current object. Then, you select which permissions you want the users or groups to have. You can also manage object permissions via parent objects, including the root Platform object or the Trust Protection Platform server object (found in the Platforms tree). If you configure Permissions in a parent object, those permissions are inherited by all subordinate objects. |