About local certificate settings

A local certificate is a certificate that a network scan utility retrieved from a computer's local file system. A corresponding certificate object appears in the Policy tree.

A certificate object is a container that holds the information Trust Protection Platform needs to monitor, enroll, or provision certificates. You can configure a certificate object's settings in a policy, or you can configure them directly on a certificate object itself. Some settings, such as domain whitelisting settings, can only be set on a policy.

BEST PRACTICE You should consider managing certificate object settings using a policy. For more information, see Managing Local Certificates Via Policy.

The following table only lists relevant settings for local certificate objects. The second column indicates if the setting can also be managed using Policy. If you want details about other settings, see About certificate object settings.

Certificate object settings
Field	Policy	Description
Refresh	n/a	Refreshes the contents of the current page.
Print	n/a	Prints the contents of the current Detail View.
Certificate Tab
Summary Subtab		Provides an overview of the current certificate. For more information, see About a certificate's summary (Policy Tree).
Certificate Status
Status	n/a	Current status of the Certificate object. There is no processing and the certificate is working. The certificate is being processed. The status field provides a description of what is happening. There is a problem and the certificate is not functioning. The status field provides a description of the problem.
Expiration Date	n/a	The date the certificate expires.
Settings Tab
Download	n/a	This option is available only in Policy Tree. Downloads the certificate and, optionally, the private key and root chain from the Trust Protection Platform database and allows you to save it to a Base64, DER, PKCS#7, or PKCS#12 formatted file. If you select PKCS#12 format, you can define a password that will be required to access the downloaded certificate and private key. For more information, see Downloading certificates, private keys, and root chains.
Import	n/a	This option is available only in Policy Tree. Allows you to copy and paste a Base64-encoded certificate file (and, optionally, the private key) into Policy Tree. Trust Protection Platform automatically populates the Certificate object with the certificate data and, when you save the Certificate object, it archives the certificate file in the Trust Protection Platform database. If the uploaded certificate includes the Private key, you must specify the password required to access the private key. You must have the View and Write permissions to the Certificate object to import a certificate. If the certificate is in a format that includes the private key, you must also have the Private Key Write permission to the Certificate object. For more information, see Importing an existing certificate.
General Information
Certificate Name	No	Unique name for the Certificate object. This is a mandatory field.
Description	No	Description for the Certificate object.
Contact		User or group Identities assigned to this object.Default system notifications are sent to the contact identities. Default contact = master administrator To select the object contacts Click the Browse button. The Identity Selector dialog opens. If the Identity Selector dialog is not populated, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store and return the list of requested users or groups.If you want to display all user or group entries, enter the wildcard character (*). Select a User or Group Identity, and then click Select. Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.
Management Type		Currently, Trust Protection Platform only manages local certificates at the Monitoring level. Under Monitoring, Trust Protection Platform monitors existing certificates and provides current information on the certificate status and lifecycle. When the certificate nears the end of its lifecycle, Trust Protection Platform notifies the administrator. It does not, however, renew the certificate. The administrator must manually create the CSR, send it to the certificate authority (CA), then retrieve and install the renewed certificate. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.
Subject DN
Common Name	No	Typically, the fully qualified domain name.
Subject Alt Name	No	The DNS-based Subject Alt Name(s) (SANs) associated with the current certificate.
Organization		Name that uniquely identifies the organization in the certificate. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.
Organization Unit		Department or division within the organization that is responsible for maintaining the certificate. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.
City, State/Province, Country		Location (city, state/province, and country) of your Organization or Organizational Unit. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.
Private Key
Private Key Stored	No	Indicates whether Trust Protection Platform currently has a copy of the certificate’s private key—Yes or No.
Key Strength (bits)		Certificate’s key strength. You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.
Upload Private Key	No	Allows the administrator to paste the private key data or upload a private key file to the Trust Protection Platform database. The private key must be base64 encoded and you must specify the password required to access the private key. You must have the Private Key Write, View, and Write permissions to the Certificate object to upload a private key. For more information, see Manually Uploading the Private Key.
Other Information
CA Template		The CA that issued the certificate. Trust Protection Platform does not currently enroll or provision local certificates, so this field is not required. However, you can use this field to monitor compliance with local certificate folders. To select the CA Template object Click the Browse button. The Configuration Object Selector dialog opens. Select a CA Template object, and then click Select. For more information on CA Template objects, see CA integration setup. You can manage the following settings at the policy level. To configure these settings via Policy, go to the Settings > Certificate tab in the Policy object configuration. The settings defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.
Key Generation	n/a	This option is not relevant to local certificates.
Renewal Window	n/a	This option is not relevant to local certificates.
Associations Tab	No	Lists the applications associated with the current certificate. Trust Protection Platform does not currently enroll or provision local certificates, so this field is not required. However, you can use this field to identify the platform or keystore where the local certificate is located. For more information and details about the options available in the Associations tab, see Associating certificates with applications.
Associations Tab	No
Compliance Tab	n/a	The Compliance tab provides an assessment of the certificate’s compliance with its parent folder. For more information, see Managing Local Certificates Via Policy.
Certificate Value	n/a	The Certificate Value column lists the certificate values as they are currently defined in the certificate. Certificate Values are listed as being in or out of policy.
Renewal Value	n/a	The Renewal Value column lists the certificate values currently defined in the Certificate object. Renewal values also reflect policy status.
History Tab	n/a	The Certificate History tab lists the common name, serial number, issuer, and valid dates for each edition of the certificate associated with the current Certificate object. Each time a new certificate is issued or an existing certificate is renewed, Trust Protection Platform adds another entry to the Certificate object’s History tab. For more information, see About Viewing Certificate History.
History Tab	n/a
Monitoring Tab		The Monitoring tab defines the parameters for certificate expiration events. The recipients and delivery method (email, SNMP trap, etc.) for expiration notifications are defined in Notification and Channel objects. You must configure the Channel and Notification objects to send notifications for expiration events. For more information, see Managing certificate notifications. You can define Monitoring settings at the policy level. To configure the Certificate object’s monitoring settings, go to the Settings > Monitoring tab in the Policy object configuration. The Certificate object monitoring settings defined in the Policy object can be inherited by all subordinate Certificate objects. For more information, see Policy object monitoring settings.
Settings
Disabled		Disables monitoring for the current Certificate object.
Expiration Events
Start generating events		Number of days before a certificate expires that you want to start generating expiration events.
Send event every		Frequency (in days) at which you want Trust Protection Platform to generate expiration events.
Escalation Expiration Events
Start escalating events		Number of days before a certificate expires that you want to start generating escalated expiration events.
Send event every		Frequency (in days) at which you want Trust Protection Platform to generate escalated expiration events.
General Tab
Log Tab	n/a	Provides a view of all events triggered for the current object. An administrator must have a minimum of the Read permission to view this tab. For more information on the Log tab options, see Viewing log events.
Permissions Tab	n/a	On the Permissions tab, you select the users or groups to whom you want to grant permissions to the current object. Then, you select which permissions you want the users or groups to have. You can also manage object permissions via parent objects, including the root Platform object or the Trust Protection Platform server object (found in the Platforms tree). If you configure Permissions in a parent object, those permissions are inherited by all subordinate objects.