Configuring value thresholds using Account Preferences

Throughout Venafi Platform, the system shows you information based on thresholds that you create to ensure you are protecting your key and certificate data in accordance with your organization's policies and objectives. Venafi Platform is designed to give you flexibility in providing warnings based on thresholds you define. These thresholds affect not only the data you see across the dashboards, but also apply to the way keys and certificates are reported to you throughout Venafi Platform.

Users can access the Account Preferences screen to configure these thresholds for themselves. Additionally, system administrators can set and lock values, so all users in the organization must use the same settings.

Setting threshold values for an individual

1. On the menu, click the user icon, then click Preferences.
2. From the left, select a product (TLS Protect & Client Protect; SSH Protect; or CodeSign Protect) depending on which settings you with to modify.
3. Modify the threshold values as needed.
4. Click Save.

Setting threshold values across the organization

1. Log in as the master admin.
2. On the menu, click on the user icon, then click Preferences.
3. From the left, select a product (TLS Protect & Client Protect; SSH Protect; or CodeSign Protect) depending on which settings you with to modify.
4. Modify the threshold values as needed.

5. Click the lock icon to prevent others in your organization from setting a different personal value. If the value is locked, and you want users to be able to configure this value for themselves, click the unlock icon .

   NOTE  Modifying these values without locking them will only modify them for your account, not for other users in your organization. Locking these values locks the value for all users.

6. Click Save.

TLS Protect and Client Protect settings

Account Preferences settings for TLS Protect and Endpoint Protect

Name	Default	Description
Flag certificates which use a key algorithm with a strength of	80 (bits)	For some key types, smaller key lengths are less secure, You can choose to flag and report certificates that use shorter key length algorithms. This value is stored in bits.
Flag certificates with a validity period greater than	397 (Days)	Certificates with long validity periods may be more susceptible to being compromised. Set this value in days. (The default is 397 days.)1  In version 20.3 and older, the default value was 820 days, however the major browser vendors no longer accept public certificates with a validity period longer than 397 days. If you had a version of Venafi Platform earlier than 20.4 and you left this value at the default, upon upgrade to 20.4 (or later) the new default of 397 days will apply. However, if you had customized this value, upon upgrade to 20.4 (or later) your previous custom value will be used.
Weak Signing Algorithm	None	Allows and reports algorithms considered to be less secure or outdated for signing operations.
Flag certificates as Expired - Long Term if expired for longer than	30 (Days)	Expired certificates are grouped into two categories: (1) Expired - short term; and (2) Expired - long term. This helps you with analysis and reporting to recognize items that have recently expired so you can take action on them, if necessary. Set this value in days.
Flag certificates as Expiring Soon if expiring in less than	30 (Days)	To give you enough time to take action on a soon-to-expire certificate, the system begins warning you before a certificate will expire. This value controls how early you want to be alerted to expiring certificates. Set this value in days.
Support Large Object Trees	No	Setting to "Yes" will force all users' administration consoles to launch in query mode. See Start the console in Query mode

SSH Protect settings

Account Preferences settings for TLS Protect and Endpoint Protect

Name	Default	Description
Flag certificates which use a key algorithm with a strength of	80 (bits)	For some key types, smaller key lengths are less secure, You can choose to flag and report certificates that use shorter key length algorithms. This value is stored in bits.
Flag keys as Unused Authorized Keys if not used for	365 (Days)	SSH Protect tracks authorized key usage. If an authorized key has not been used for a long period of time it may be time to remove the key so it no longer has any access to your systems. This helps protect your system so old keys can't be used to access the system by somebody who is no longer authorized to have access. Set this value in days.

CodeSign Protect settings

On the CodeSign Protect User Preferences, you can re-enable the First Project dialog, as if you are logging into the product for the first time. Click Clear Setting to see this dialog again.