Configuring value thresholds using Account Preferences

Throughout Venafi Platform, the system shows you information based on thresholds that you create to ensure you are protecting your key and certificate data in accordance with your organization's policies and objectives. Venafi Platform is designed to give you flexibility in providing warnings based on thresholds you define. These thresholds affect not only the data you see across the dashboards, but also apply to the way keys and certificates are reported to you throughout Venafi Platform.

Users can access the Account Preferences screen to configure these thresholds for themselves. Additionally, system administrators can set and lock values, so all users in the organization must use the same settings.

Setting threshold values for an individual

  1. On the menu, click the user icon, then click Preferences.
  2. From the left, select a product (TLS ProtectClient Protect; SSH Protect; or CodeSign Protect) depending on which settings you with to modify.
  3. Modify the threshold values as needed.
  4. Click Save.

Setting threshold values across the organization

  1. Log in as the master admin.
  2. On the menu, click on the user icon, then click Preferences.
  3. From the left, select a product (TLS ProtectClient Protect; SSH Protect; or CodeSign Protect) depending on which settings you with to modify.
  4. Modify the threshold values as needed.
  5. Click the lock icon to prevent others in your organization from setting a different personal value. If the value is locked, and you want users to be able to configure this value for themselves, click the unlock icon .

    NOTE  Modifying these values without locking them will only modify them for your account, not for other users in your organization.

  6. Click Save.

TLS Protect and Client Protect settings

Account Preferences settings for TLS Protect and Endpoint Protect

Name

Default

Description

Flag certificates with a key smaller than 2048 (Bits) For some key types, smaller key lengths can be less secure, and you may want to ensure small keys are flagged by the system. This value is stored in bits.
Flag certificates with a validity period greater than 397 (Days) Certificates with long validity periods may be more susceptible to being compromised. Set this value in days. (The default is 397 days.)1
Approved Signing Algorithm SHA256, SHA384, SHA512 Select from the list of signing algorithms the ones you want to trust as 'approved.' Certificates with signing algorithms not in this list will be marked as a security risk. To see a full list of algorithms, click inside the box.
Flag certificates as Expired - Long Term if expired for longer than 30 (Days) Expired certificates are grouped into two categories: (1) Expired - short term; and (2) Expired - long term. This helps you with analysis and reporting to recognize items that have recently expired so you can take action on them, if necessary. Set this value in days.
Flag certificates as Expiring Soon if expiring in less than 30 (Days) To give you enough time to take action on a soon-to-expire certificate, the system begins warning you before a certificate will expire. This value controls how early you want to be alerted to expiring certificates. Set this value in days.
Flag certificates that are Within the second half of their renewal period Helps you identify certificates that need renewal only after they have reached a point in their life cycle (half way, for example). This is more flexible than a number of days, as it takes into account the overall validity period.

SSH Protect settings

Account Preferences settings for TLS Protect and Endpoint Protect

Name

Default

Description

Flag keys with a key smaller than 1024 (Bits) Smaller keys are typically less secure keys, and you may want to ensure small keys are flagged by the system. This value is stored in bits.
Flag keys as Unused Authorized Keys if not used for 365 (Days) SSH Protect tracks authorized key usage. If an authorized key has not been used for a long period of time it may be time to remove the key so it no longer has any access to your systems. This helps protect your system so old keys can't be used to access the system by somebody who is no longer authorized to have access. Set this value in days.

CodeSign Protect settings

On the CodeSign Protect User Preferences, you can re-enable the First Project dialog, as if you are logging into the product for the first time. Click Clear Setting to see this dialog again.