Finding assets using filters on the Certificate Inventory list
You can use filters to quickly find items in Venafi Platform inventories. Items that can be filtered include certificates, SSH keys, devices, identities, credentials, or Server Agents.
From any inventory list you can apply one or more filters to narrow the results. For example, use filters when you want to find a specific item, or find a group of items that meet a more specific set of criteria.
On the Certificate Inventory, you must click the Apply Filters button at the top of the filter sidebar to see changes applied. This helps you by allowing you to specify multiple filter criteria before applying the filter and running the filter query, saving you time when working with certificates.
Filter Panel Groups and Filter Types
The filter panel contains the following filter
- Quick Filters. These are built-in filters provided by the system that help you identify common issues with your keys and certificates.
- Common Filters. These are filter fields that you will commonly use to find a specific item.
- Certificate Properties. This is a detailed list of all certificate properties, allowing you to filter on any property on the certificate. You can learn more about certificate properties in About certificate object settings.
- Validation. This is a list of validation properties, allowing you to filter the certificates based on their validation results.
- Discovery. This is a list of filters that allow you to find certificates based on discovery information.
EXAMPLE Show all certificates with a specific signature algorithm.
Suppose you need to filter the Inventory > Certificates list in TLS Protect to show only user certificates with a signature algorithm of sha256RSA. Click Certificate Properties and then select sha256RSA from the Signature Algorithm drop-down list, then click Apply Filters.
EXAMPLE Show which agents have not checked in for awhile.
Suppose you need to know which Server Agents have not checked in to Trust Protection Platform for the past 30 days. In TLS Protect, click Clients > Registered Clients on the menu bar to open the Registered Clients list view. All registered clients (which you must have permissions to view) appear in the list according to the default search criteria. To find the items that meet your unique criteria, apply the Not Seen In filter by setting it to 30 days. The list would then instantly update to display only those registered clients that have not checked in within the past 30 days.
To search for Objects using quick search
NOTE Quick Search does not allow you to search for agents.
-
In the Search box on the menu bar, type all or part of the name of the object you are looking for, and then press the Enter key.
- In the search results, click the name of an object to view its details.
To refine a list of discovered objects Using Filters
-
From the menu, open any of the inventory list views.
For example, click Inventory >
-
Using Filters, select and apply one or more filters to narrow the list of discovered items.
DID YOU KNOW? On the Certificate Inventory, you can add multiple filter criteria without refreshing the list. When your filter criteria are correct, click Apply Filters (at the top of the filter sidebar). This feature saves time when working with large certificate inventories.
- When you find the object you want in the inventory, click its name to view details.
EXAMPLE How search filtering works
All of the selections in a filter field are OR fields
In the example above, the search could be described in the following way:
Show me all certificates with (policy location of EMEA or EMEA/Marketing) and (a certificate type of Server Certificate or a Client Device Certificate) and (Status of Disabled and Expired-Long Term).
List of Quick Filters for Certificates
The following Quick Filters are available on the Certificate Inventory page.
| Quick Filter | Description |
|---|---|
| Lost & Found | Loads certificates with the Lost risk. |
| Pending My Approval | Loads certificates with the Pending My Approval status. For these certificates, you are listed as the approver, and they are waiting for your approval. |
|
In Error |
Loads certificates with the In Error status. Click the information icon to see details about each certificate's error. Alternatively, you can use the Edit Columns link to add the Error Details column to always display the error information. |
|
Expiring Soon |
Loads certificates with the Expiring Soon status. |
|
Distrusted Symantec |
Loads certificates that are distrusted by some web browsers because they are issued by one of the following CAs:
|
List of Common Filters for Certificates
The following Common Filters are available on the Certificate Inventory page.
| Common Filter | Description | Multi-value Support | Type |
|---|---|---|---|
| Status | Filters the certificate list to show only certificates that match a given status. For more information on certificate status see Certificate status and risks explained. |
Yes / AND |
Select from list |
| Risks | Filters the certificate list to show only certificates that match a given risk. The risk you filter on may apply to a certificate, but may not be displayed in the Risks column, due to the display priority of the risk condition. |
Yes / AND |
Select from list |
|
Certificate Name |
Searches the object name, the common name of the current certificate, and the common name renewal value. |
No |
Partial match search (starts with) |
|
Certificate Authority Template |
Filters the certificate list based on the most recent CA template used on the certificate. This will show all certificates currently linked to that CA template. This filter is based on renewal settings for certificates that have been renewed. |
Yes / OR |
Select from list |
|
Serial Number |
Filters based on the certificate's serial number. |
Yes / OR |
Partial match search (contains) |
|
Contacts |
Filters based on the certificate’s contact name or group. You can select multiple contacts, if needed. |
Yes / OR |
Search from list |
|
Approvers |
Filters based on the approver name or group. |
Yes / OR |
Search from list |
|
Installation Type |
Filters based on the installation type assigned to a certificate. In addition, you can also filter on certificates that have at least one installation of any type by selecting the "Any" option from the list. You can also filter on certificates with zero installations by selecting "None" from the list. |
Yes / OR |
Select from list |
|
Folder |
Filters based on the certificate's parent folder. When you select at least one folder, a checkbox appears allowing you to search through all sub-folders as well. |
Yes / OR |
Search from list |
|
Last Renewed By |
Filters based on the user who was the last one to renew the certificate. |
Yes / OR |
Search from list |
List of Certificate Properties
The following are a list of certificate properties filters available in the Certificate Inventory.
| Certificate Property | Description |
Multi-value Support |
Type |
|---|---|---|---|
|
Key Size |
The size of the key represents the relative strength of the key, with larger numbers representing more secure keys. |
Yes / OR |
Select from list |
|
Signature Algorithm |
The key algorithm associated with the certificate |
Yes / OR |
Select from list |
|
Validity Period |
Duration of validity for the certificate, allowing you to, for example, quickly see certificates with long validity periods, which represent higher risk than certificates with a shorter validity period. |
Yes / OR |
Select from list |
|
Organization |
Name of the organization listed on the certificate. |
Yes / OR |
Select from list |
|
Organizational Unit |
Name of the organizational unit listed on the certificate. |
Yes / OR |
Select from list |
|
City/Locality |
City listed on the certificate. |
Yes / OR |
Select from list |
|
State/Province |
State listed on the certificate. |
Yes / OR |
Select from list |
|
Country |
Country listed on the certificate. |
Yes / OR |
Select from list |
|
Domain Component |
If enabled by policy, and if used by the certificate, the domain components allowed by the certificate. |
Yes / OR |
Select from list |
|
Issuer |
Name of CA, organization, or device that issued the certificate. Allows "Self-signed" to show all self-signed certificates |
Yes / OR |
Select from list |
|
SANs - DNS |
The fully qualified domain name or common name associated with the certificate. Filter results will be displayed for search term found anywhere in the name (i.e. starts with, ends with, or contains). |
Yes / OR |
Search from list |
|
Validation Result |
Status of the most recent validation attempt for the certificate installation. |
Yes / OR |
Select from list |
|
Management Type |
The level of certificate management in Trust Protection Platform: unassigned, monitoring, enrollment, or provisioning. |
Yes / OR |
Select from list |
|
Certificate Type |
The type of certificate; for example, server certificate, user certificate, or client device certificate. |
Yes / OR |
Select from list |
|
Key Algorithm |
RSA Algorithm used by the key tied to the certificate. |
Yes / OR |
Select from list |
|
Elliptic Curve |
Which ecliptic curve is used for the certificate. |
Yes / OR |
Select from list |
|
Valid From |
First date that the certificate was valid. Can specify a specific date range, or a dynamic date range (next 60 days) |
Date Range |
Explicit or dynamic range |
|
Valid To |
Last date that the certificate is valid. Can specify a specific date range, or a dynamic date range (next 60 days) |
Date Range |
Explicit or dynamic range |
List of Validation Filters
The following are a list of Validation filters available on the Certificate Inventory
| Validation Filter | Description |
Multi-value support |
Type |
|---|---|---|---|
| Overall Result | Filter certificates based on whether validation for the certificate's endpoints either succeeded or failed. |
Yes / OR |
Select from list |
| Enabled Protocols | Filter certificates based on the protocols enabled for a certificate's endpoints. (For example, TLS 1.2 or TLS 1.3) |
Yes / OR |
Select from list |
| SSL/TLS Chain Result | Filter certificates based on the chain validation result for a certificate's endpoints. Possible chain results include: CA certificate omitted, chain not valid, expiring CA in chain, etc. |
Yes / OR |
Search from list |
| SSL/TLS End Entity Result | Filter certificates based on the End Entity validation result. Possible end entity results include: Connection failure, Hostname not resolvable, network validation not supported, no certificate match, no local certificate, etc. |
Yes / OR |
Select from list |
List of Discovery Filters
The following are a list of Discovery filters available on the Certificate Inventory. Use the Discovery filters to locate objects added by a network discovery job specified in the filter.
You need Read/View permission to select objects in the filter. You must set these permissions on\\VED\Discovery or on the job object.
| Discovery Filter | Description |
Multi-value support |
Type |
|---|---|---|---|
|
CA Trust Monitor |
Whether the CA trusts or distrusts the certificate. |
Yes / OR |
Select from list |
|
ACME Public Key Fingerprint |
The public key fingerprint (for ACME certificates). |
Yes / OR |
Select from list |
|
Added to Inventory by |
The method that was used to add the certificate to the inventory. (E.g. Agent Discovery, Aperture, Network Discovery, WebSDK). |
Yes / OR |
Select from list |
|
Certificate Origin |
The originator of the certificate. This filter is available only if Client Protect has been licensed. |
Yes / OR |
Select from list |
|
Network Discovery Job |
The network discovery job Note: When you select Last Scan Certificates Only, the filter will display only those objects that were modified by the last discover scan. |
Yes / OR |
Select from list |
|
Created On |
Date the certificate was created. Can specify a specific date range, or a dynamic date range (next 60 days) |
Date Range |
Explicit or dynamic range |