About certificate object settings

The certificate object provides the information Trust Protection Platform needs to monitor, enroll, and provision network certificates.

Additionally, consider managing certificate object settings via policy. For more information, see Using policies to manage encryption assets.

The following table describes the configuration settings for a network certificate object. The second column indicates if the setting may also be managed via Policy.

Field

Policy

Description

Refresh

n/a

Refreshes the contents of the current page.

Print

n/a

Prints the contents of the current Detail View.

Certificate Tab

   

Summary Tab

 

Provides a snapshot of the current certificate. It lists the certificate status, all associated applications, the certificate signature chain, and the certificate details.

Any user with the write permission to the certificate can access all of the options in the Certificate Summary tab and view all summary data, including information about the certificate’s associated applications regardless of whether the user has permissions to the associated applications themselves.

For more information, see About a certificate's summary (Policy Tree).

Restart

n/a

Clears all errors and stages on the certificate and its associated application(s), then restarts processing from the beginning.

In Policy Tree, this option is available under Fix > Restart Processing from the Beginning.

This option is provided for circumstances in which the certificate or application was misconfigured. This option allows you to restart the certificate processing so the correct information can be used. For example, if you misspelled the certificate’s common name, you could correct the spelling error, then restart the renewal process so the change is reflected in the new certificate. You can use the Restart option at any point during the renewal process.

This option is relevant only to certificates managed under Enrollment or Provisioning.

For more information, see About clearing certificate workflow errors.

Retry

n/a

Clears the certificate error, then retries the last processing stage.

In Policy Tree, this option is available under Fix > Retry Last Failed Operation.

If the certificate is currently in an error state, this option clears the error, then queues the certificate to retry the current stage. For example, if a certificate was configured with an invalid CA template, you could reconfigure the CA template, and then click Retry to resume the renewal process.

If there is an error on the certificate’s associated application(s), then Trust Protection Platform reattempts to install the certificate on the associated application(s). Disabled applications are skipped.

This option is available only for certificates managed under Enrollment or Provisioning.

For more information, see About clearing certificate workflow errors.

Reset

n/a

Clears errors and stages on the certificate and its associated applications, then stops processing.

In Policy Tree, this option is available under Fix > Reset Errors and Stop Operation.

This option is provided for circumstances in which there is an error at some stage of the certificate lifecycle and you decide to abort the current renewal process. For example, if a certificate completed the enrollment process, but failed when installing on one of the associated applications, you could manually install the certificate on the application, and then click Reset to clear the error. In this instance, no further processing would be necessary.

This option is relevant only to certificates managed under Enrollment or Provisioning.

For more information, see About clearing certificate workflow errors.

Validate Now

n/a

Instantly runs a validation check on the current certificate according to the settings configured in the object’s Validation tab.

For more information on Certificate object validation, see About certificate and application validation.

Revoke/Revoke and Disable

n/a

The Revoke option submits a revocation request to the certificate CA.

The Revoke and Disable option sends a revocation request to the certificate CA and disables the current Certificate object. If you disable the Certificate object, Trust Protection Platform stops all certificate processing—that is, it will not monitor, enroll, or provision the certificate.

For more information, see About revoking certificates manually.

Change Certificate Type

n/a

Allows you to change the certificate type of a certificate in case it is misclassified.

To see a list of certificate types, see Overview of certificate types.

Certificate Status

   

Status

n/a

Just below the Certificate Status title bar, Trust Protection Platform displays the current status of the certificate object, including the following common messages:

There is no processing and the certificate is working.

The certificate is being processed. The status field provides a description of what is happening.

There is a problem and the certificate is not functioning. The status field provides a description of the problem.

Workflow request has been rejected.

Processing Stage

n/a

If the certificate is currently under processing, Trust Protection Platform indicates the current stage of the certificate lifecycle. For example, if Trust Protection Platform is currently waiting to retrieve the certificate from the CA, it displays the following:

700 (Retrieving certificate from CA)

If the certificate is not currently under processing, the processing stage is “None.” If processing is disabled on the application, the processing stage is “n/a” (not applicable).

The processing stages listed are specific to each device. For more information, see About certificate lifecycle management.

Certificate Processing

n/a

Indicates if the certificate processing is enabled or disabled.

If the Certificate object is disabled, Trust Protection Platform does not monitor, validate, enroll, or provision the certificate.

Certificate Processing is enabled or disabled on the Settings tab.

Expiration Date

n/a

The date the certificate expires.

Last Validation

n/a

Time and date of the last validation.

Network Result

n/a

Result of the most recent Network Validation.

Associated Applications

n/a

All applications where the current certificate is installed.

Settings Tab

   

Renew Now

n/a

Queues the certificate for renewal. Error and status attributes are cleared on the certificate and its associated application(s).

NOTE  This option is available only for certificates managed under Enrollment or Provisioning.

In order for Trust Protection Platform to automatically renew a certificate, the Processing Disabled option must not be selected.

In Policy Tree, the Renew Now option is available in the Certificate Summary page. In Policy Tree, the Renew Now option is available in the Certificate Settings page.

Trust Protection Platform only attempts the renewal; it does not revoke the existing certificate. For information on revoking a certificate, see About revoking certificates manually.

A user must have write permissions to manually restart a certificate renewal.

For more information, see Renewing a certificate manually.

Download

n/a

This option is available only in Policy Tree.

Downloads the certificate and, optionally, the private key and root chain from the Trust Protection Platform database and allows you to save it to a Base64, DER, PKCS#7, or PKCS#12 formatted file. If you select PKCS#12 format, you can define a password that will be required to access the downloaded certificate and private key.

For more information, see Downloading certificates, private keys, and root chains.

Import

n/a

This option is available only in Policy Tree.

Allows you to copy and paste a Base64-encoded certificate file (and, optionally, the private key) into Policy Tree. Trust Protection Platform automatically populates the certificate object with the certificate data and, when you save the certificate object, it archives the certificate file in the Trust Protection Platform database.

If the uploaded certificate includes the private key, you must specify the password required to access the private key.

You must have the view and write permissions to the certificate object to import a certificate. If the certificate is in a format that includes the private key, you must also have the Private Key Write permission to the certificate object.

For more information, see Importing an existing certificate.

Retrieve Certificate

n/a

This option is available only in Policy Tree.

Retrieves the certificate from a designated host or IP address and port.

Trust Protection Platform supports both IPv4 and IPv6 connections.

If the current certificate is managed at the Monitoring level, you can use this option to update the certificate in the Trust Protection Platform database after you have manually renewed the certificate on the target device.

You can set up a Notification to alert you when the certificate has been updated on the target application. For more information on this configuration, see Review validation results.

If the current certificate is managed at the Enrollment or Provisioning levels, you can use this option to retrieve the certificate from the CA.

You must have the view and write permissions to the certificate object to retrieve a certificate.

For more information, see Retrieving certificates.

General Information

   

Certificate Name

No

Unique name for the certificate object.

This is a mandatory field.

Description

No

Use to describe what the certificate is used for.

Contact

User or group Identities assigned to this object.Default system notifications are sent to the contact identities.

Default contact = master administrator

To select the object contacts

  1. Click the Browse button.

    The Identity Selector dialog opens.

  2. If the Identity Selector dialog is not populated, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store and return the list of requested users or groups.If you want to display all user or group entries, enter the wildcard character (*).
  3. Select a User or Group Identity, and then click Select.

    Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups.

You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

Approver

User or group Identities assigned to approve workflows (certificate approval or injection command) for the current certificate object. For more information on defining workflow objects, see Workflow management.

Default approver = master administrator

To select the Certificate object approvers

  1. Click the Browse button.

    The Identity Selector dialog opens.

  2. If the Identity Selector dialog is not populated, enter a search query to retrieve the Identity list. The administration console does not automatically display external users and groups. You must first enter a search string so Trust Protection Platform can query the external Identity store and return the list of requested users or groups.If you want to display all user or group entries, enter the wildcard character (*).
  3. Select a User or Group Identity, and then click Select.

    Press Shift+click to select multiple, contiguous users and groups. Press Ctrl+click to select multiple, discontiguous users and groups.

    You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

Processing Disabled

No

Disables monitoring, enrollment, and provisioning of the current certificate. This means that Trust Protection Platform does not generate notifications, validate, or attempt renewal for the current Certificate object.

This option is useful when you are building the certificate configuration but it is not yet complete. Select Processing Disabled to disable the object until you’re ready for it to be active. In this way, you can avoid system processing errors due to an incomplete configuration.

Management Type

Level where subordinate certificates are to be managed.

Change a certificate's management type.

Trust Protection Platform provides the following levels of certificate management for Kubernetes Policy, Cluster, and Namespace objects:

  • Monitoring: Trust Protection Platform monitors existing certificates and provides current information on the certificate status and lifecycle. When the certificate nears the end of its lifecycle, Trust Protection Platform notifies the administrator. It does not, however, renew the certificate. The administrator must manually create the CSR, send it to the certificate authority (CA), then retrieve and install the renewed certificate.
  • Enrollment: Trust Protection Platform can automatically generate and submit CSRs to Certificate Authorities using the parameters defined in designated CA Template objects. If preferred, the administrator can manually generate the CSR, then upload it to Trust Protection Platform to complete the enrollment process with the appropriate CA. After the CA signs the certificate, Trust Protection Platform retrieves the certificate and securely stores it in the central database. The administrator must then download the certificate from Trust Protection Platform and install it on the target systems.
  • Provisioning: Trust Protection Platform manages the entire certificate lifecycle—it automatically requests, installs, and monitors your system certificates.
  • Unassigned: Unlicensed Trust Protection Platform certificates and keys that do not allow network validation, expiration monitoring, enrollment, provisioning, or onboard validation. However, they are included in selected reports and on the dashboard.

You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

CSR Generation

Determines how CSRs are generated.

  • Service Generated CSR: Trust Protection Platform automatically generates the CSR. If a certificate is associated with multiple applications, the CSR will be centrally generated so Trust Protection Platform can push the private key to both applications. Remote CSR generation does not allow private key sharing across multiple applications. Only a 1-1 relationship is supported.
  • User Provided CSR: CSR is manually generated by the administrator, then uploaded to Trust Protection Platform.

    DID YOU KNOW?  Today, you can specify SANs on your CSR, but only if the CSR has no embedded SANs. Not all CAs support adding additional SANs (additive SANs); so to allow maximum compatibility across many CAs, Trust Protection Platform prevents the use of additive SANs.

Trust Protection Platform always generates CSRs in compliance with the certificate object’s current parent policy. If the CSR is user-submitted, Trust Protection Platform does not accept the CSR unless it is “in policy.”

You can manage this setting at the policy level. To configure the setting via policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

Generate Key/CSR on Application

Determines where the CSR and the private key are generated.

If you do not select this option, the CSR and the private key are centrally generated on the Trust Protection Platform server, then securely copied to the application.

If you do select this option, the CSR and the private key are locally generated on the application’s server.

In the case of central generation, the certificate and private key are archived in the Trust Protection Platform database. However, for remote generation, only the certificate is stored in the database.

You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

IMPORTANT  When one or more of the following items are true, Remote Generation is not supported and, therefore, the Generate Key/CSR on Application setting is ignored.

  • You're using a driver that does not support remote generation.

    To learn which drivers support remote generation, see Supported integrations: devices, applications, services and features supported by Venafi.

  • You're using a self-signed CA template to enroll a certificate; self-signed CA templates do not work with remote generation.

    This is because Trust Protection Platform requires that the private key be stored centrally so that it can be used to sign the self-signed certificate.

  • Your certificate is associated with more than one application; to work correctly, the certificate must be associated with one application.
  • You have not set the certificate's management type setting to Provisioning.
  • You're doing one-to-many provisioning.

Hash Algorithm

 

 

For the certificate signing request, choose either SHA-256, SHA-384, or SHA-512. The default is SHA-256.

See About signing algorithms.

Upload CSR

No

Allows the administrator to paste the CSR data or upload a CSR file to the Trust Protection Platform database. The CSR file must be Base64 encoded.

If Service Generated CSR is selected, then the uploaded CSR values are added only to the unlocked SubjectDN fields that are editable. No check is made to ensure that the values adhere to the policy.

If User Provided CSR is selected, then the uploaded CSR values must adhere to the policy before they are applied to the Certificate object. If they do adhere to the policy, they are added to the certificate and stored in the Trust Protection Platform database when the Certificate object is saved.

For more information, see Manually uploading the CSR.

If the CSR is user provided, you may also want to upload the private key so it is archived in the Trust Protection Platform database. Trust Protection Platform must have a copy of the certificate’s private key to provision certificates and key pairs. For more information, see Manually Uploading the Private Key.

Subject DN

Common Name

No

Typically, the fully qualified domain name.

Subject Alt Name

 

 

 

No

 

The DNS-based Subject Alt Name(s) (SANs) associated with the current certificate.

NOTE  Symantec has a limit of 20 SAN entries. If you enter more than 20 SANs, the Symantec CA returns the following error: “The specified Certificate Authority has a limit of 20 SubjectAltNames.”

Trust Protection Platform includes the SANs in the certificate CSR. If the CA does not accept SAN entries in the CSR (RedHat is the only currently supported CA that does not accept SAN entries in the CSR), then Trust Protection Platform provides the SAN values to the CA out-of-band during the certificate approval process.

If the certificate requires manual approval, Venafi TLS Protect does not include the SAN values in the CSR. Instead, it notifies the approver to provide the DNS SAN values when approving the certificate.

To enable Venafi TLS Protect to provision SAN certificates, your configuration must meet the following criteria:

Verify that your CA supports DNS-based SAN values.

NOTE   DNS SANs are included in the Unified Communications Certificates that are used with Microsoft Exchange 2007 and Microsoft Office Communications Server.

At present, the Entrust Security Manager CA does not support DNS-based SANs.

If you use Microsoft, RedHat, or Symantec CAs, you must verify the SAN feature is enabled on your CA engine. If you enter a SAN value but the SAN feature is not enabled on your CA, the CA returns the following error when Venafi TLS Protect attempts to submit the CSR:

Stage 400 (Creating CSR) SubjectAltName not supported by Application and CA.

The Subject Alt Name Enabled option must be enabled on the certificate’s associated CA template object; otherwise, the CA template object will not accept CSRs with SAN values.

For more information, see your associated CA template object configuration in CA integration setup.

If you do not enable the Subject Alt Name Enabled option on the certificate’s associated CA template object, Trust Protection Platform returns the following error when it attempts to submit the CSR:

Stage 400 (Creating CSR) SubjectAltName not supported by Application and CA.

If you enable the Generate Key/CSR on Application option in the current Certificate object, you must verify that the Application driver for the certificate’s consumer applications can generate a CSR with SAN values.

IMPORTANT  At present, only the GSK application can generate a CSR with SAN values.

To enable the GSKit 7.x driver to generate a CSR with SAN values, you must set the SAN support value to true in the ikminit.properties file as follows:

DEFAULT_SUBJECT_ALTERNATIVE_NAME_SUPPORT=true

The ikiminit.properties file may be written to several locations. Search for and change all instances of the file in the file system. The default locations are %GSK_HOME%\classes and *c:*.

If you enable the Generate Key/CSR on Application option in the certificate object and the certificate’s consumer application is an Apache web server or other application that consumes a PEM file in a non-Windows environment, NetScaler device, or an F5 network appliance, then Venafi TLS Protect must provide the SAN values to the CA out-of-band. This is not a problem for Microsoft or RedHat, or Thawte, or Symantec certificates. However, the RSA Keon CA does not accept out-of-band values.

If you enable the Generate Key/CSR on Application option in the certificate object and the certificate’s consumer application is a GSK keystore, but the SAN feature is not enabled on your CA, then the CA returns the following error:

Create CSR failed with error: {0}, Subject Alternative Name support not enabled.

The error message also provides information about what file needs to be modified to support SAN.

Organization

Name that uniquely identifies the organization in the certificate.

You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

Organization Unit

Department or division within the organization that is responsible for maintaining the certificate.

You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

City, State/Province, Country

Location (city, state/province, and country) of your Organization or Organizational Unit.

You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

Domain Whitelist

   

Allowed Domains

Enter the suffix of allowed domains.

Examples:

  • .com
  • acme.com
  • sales.acme.com

If you leave this field blank, ALL domains will be allowed.

Allow Wildcards

The default is Yes. Select No to prohibit wildcards.

Allow Duplicate Common and Subject Alternate Names

The default is Yes. Select No to require unique names.

Private Key

Private Key Stored

No

Indicates whether Trust Protection Platform currently has a copy of the certificate’s private key—Yes or No.

Trust Protection Platform must have a copy of the private key to provision certificates and key pairs.

If Trust Protection Platform does not have a copy of the certificate’s private key, then you can do one of the following:

Manually import the certificate and private key. For more information, see Manually Uploading the Private Key.

If Automate Renewal is selected, you can wait until Trust Protection Platformrenews the certificate or click Renew Now to generate a new key pair.

Key Algorithm

Choose either RSA or ECC (Elliptic Curve Cryptography).

Depending on which one you choose, make a key strength or elliptic curve selection from the corresponding controls.

To learn more about these cryptographies and see a comparison chart, see About RSA and elliptic curve cryptography (ECC) key algorithms.

NOTE  The most broadly supported elliptic curve is P256. The other curves, P384 and P521, may be rejected by some CAs that support ECC. Venafi does not support SECP256. Venafi Platform only supports NIST EC curves.

Certificate authorities that support ECC algorithms

Certificate Authority

Notes

Adaptable CA Supported
Sectigo Certificate Manager (SCM) May require the addition of special account features. Contact the CA for help.
DigiCert CertCentral Supported
Entrust Certificate Services Requires a certificate product that supports ECC such as Advantage.

GlobalSign

Supported

HID PKIaaS

May require the addition of special account features. Contact the CA for help.

Microsoft Active Directory Certificate Services (ADCS) - Enterprise and Standalone

Requires a template that uses an EC algorithm name (Cryptography tab).

Open SSL

Supported

QuoVadis

May require the addition of special account features. Contact the CA for help.

RedHat Certificate System

May require special features that are not installed or licensed by default. Contact the CA for help.

RSA Certificate Manager

May require special features that are not installed or licensed by default. Contact the CA for help.

Self-signed

Supported

Symantec MPKI

Requires a certificate product that supports ECC such as Premium and an ECDSA signature algorithm specified on the CA template.

Verizon UniCERT

May require special features that are not installed or licensed by default. Contact the CA for help.

Certificate authorities that do not support ECC algorithms

Amazon Certificate Manager

GeoTrust Reseller

VikingCloud

Reuse Private Key

Reuses the original private key when renewing the certificate.

You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

Key Strength (bits)

Certificate’s key strength.

If the key strength value conflicts with what the application can handle/requires, the application ignores the policy and sets the value accordingly. For example, if you set this value to 2048-bit encryption, but the target application cannot handle 2048-bit certificates, Trust Protection Platform generates the certificate CSR using 1024-bit encryption.

You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

Upload Private Key

No

Allows the administrator to paste the private key data or upload a private key file to the Trust Protection Platform database.

The private key must be base64 encoded and you must specify the password required to access the private key. You must have the Ppivate key write, view, and write permissions to the Certificate object to upload a private key.

If the CSR is user provided, you may also want to upload the private key so it is archived in the Trust Protection Platform database. Trust Protection Platform must have a copy of the certificate’s private key to provision certificates and key pairs.

For more information, see Manually Uploading the Private Key.

Other Information

You can manage the following settings at the policy level. To configure these settings via Policy, go to the Settings > Certificate tab in the Policy object configuration. The settings defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

CA template

CA template object that Venafi TLS Protect references to generate the CSR and submit it to the CA.

To select the CA template object

  1. Click the Browse button.

    The Configuration Object Selector dialog opens.

  2. Select a CA template object, and then click Select.

Key Generation

Encryption key used to generate the certificate’s private key.

Trust Protection Platform uses either an AES-256 software encryption key or hardware keys stored on supported HSM devices to generate certificate private keys. For information on using your own encryption keys, see Working with system credentials.

Disable Automatic Renewal

Disables automatic enrollment and provisioning for the current certificate. This means that Venafi TLS Protect will not attempt to renew or install the current certificate on its own. However, Venafi TLS Protect still provides monitoring, validation, and notification for the certificate object.

Trust Protection Platform automatically selects this option when it renews a certificate in response to a SCEP request. For more information, see Certificate enrollment via SCEP protocol.

Renewal Window

Number of days prior to expiration that Venafi TLS Protect begins the renewal operation.

Recommended value = 30

DID YOU KNOW?  The default renewal window is 32 days for all newly created DigiCert and Entrust templates.

Validity Period

No

Period of time (in months) that the certificate is valid.

The options available in this menu are determined by the Available Validity Periods configured on the CA template object.

Server Type

No

Application where the certificate is installed.

Entrust Certificate Services Settings

When you associate the Entrust Certificate Services template object configuration with the certificate object, you can define additional settings that are specific to the certificate. These settings are passed to the Entrust Certificate Services when Trust Protection Platform renews the certificate.

In Policy Tree, you must click the Entrust Certificate Services tab to access the Entrust Certificate Services settings.

For more information, see Entrust Certificate Services—certificate settings.

Settings

Validity Period

No

Period of time (in months) that the certificate is valid.

The options available in this menu are determined by the Available Validity Periods configured in the Entrust Certificate Services template object configuration.

Number of Servers

No

Number of servers the current certificate may be installed on.

Certificate Owner

Person the Entrust Certificate Services identifies as the certificate owner.

First Name

No

Certificate owner’s first name.

Last Name

No

Certificate owner’s last name.

Email

No

Certificate owner’s email address.

Telephone

No

Certificate owner’s telephone number.

RSA Keon Settings

When you associate the RSA CA template object configuration with the Certificate object, you can define additional settings that are specific to the certificate. These settings are passed to the RSA Keon CA when Trust Protection Platform renews the certificate.

In Policy Tree, you must go to the RSA tab to access the RSA Keon settings.

For more information, see RSA Certificate Manager—certificate settings.

Validity Period

No

Period of time (in months) that the certificate is valid.

The options available in this menu are determined by the Available Validity Periods configured in the RSA CA template object configuration.

This option is available only if you select Override Default Key Update Policy.

Thawte Settings

When you associate the Thawte CA template object configuration with the Certificate object, you can define additional settings that are specific to the certificate. These settings are passed to the Thawte CA when Trust Protection Platform renews the certificate.

In Policy Tree, you must go to the Thawte tab to access the RSA Keon settings.

For more information, see .

Validity Period

No

Period of time (in months) that the certificate is valid.

The options available in this menu are determined by the Available Validity Periods configured in the Thawte CA template object configuration.

This option is available only if you select Override Default Key Update Policy.

Number of Servers

No

Number of servers where the current certificate may be installed.

Server Type

No

Application where the certificate is installed.

Issuance Settings

 

These settings define the certificate renewal parameters.

Challenge Credential

Password Credential required to retrieve or revoke a Symantec certificate. The Challenge Credential is given to Symantec when the certificate’s CSR is submitted for enrollment. Symantec subsequently requires the Challenge Credential to retrieve or revoke the certificate.

To select the Challenge Credential

  1. Click the Browse button.

    The Credential Selector dialog appears.

  2. Select the Certificate Credential you created with the Symantec Administrator Certificate, and then click Select.

For more information, see Working with system credentials.

You can manage this setting at the policy level. To configure the setting via Policy, go to the Settings > Certificate Authorities tab in the Policy object configuration. The setting defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object certificate settings.

Validity Period (Months)

No

Period of time (in months) that the certificate is valid.

The options available in this menu are determined by the Available Validity Periods configured in the Symantec CA template object configuration.

License Count

No

Number of licenses (i.e., concurrent installations) to be issued with the certificate.

Server Type

No

Type of server that the certificate is installed on.

Comment

No

Any information you want to store with the certificate.

Symantec Owner

Defines the information for the Symantec Certificate Owner.

First Name

No

Symantec Certificate Owner’s first name.

Last Name

No

Symantec Certificate Owner’s last name.

Email

No

Symantec Certificate Owner’s email address.

Use Certificate Owner

No

Retrieves the Certificate object’s Contact Identity information.

This option is available only in Policy Tree.

If you want to be able to retrieve AD user information for the Symantec Owner settings, you must define the mapping rules for AD User and Group attributes. For more information, see Viewing Active Directory configuration settings and mapping rules.

Additional Certificate Fields

No

Your certificate may include additional certificate fields. These are custom fields defined by your organization in the Symantec MPKI Control Center. Venafi TLS Protect includes these values in the certificate signing request it submits to the Symantec CA.

If the custom fields are required, you must define the fields in the Certificate object. If you do not complete required custom fields, the Symantec CA will not accept the CSR. If the fields are optional, you can optionally define the fields in the Certificate object.

Associations Tab

 

No

Lists the applications associated with the current certificate.

When you associate an Application object with a certificate and enable processing, Venafi TLS Protect provisions the certificate and private key on the server where the application resides.

For more information and details about the options available in the Associations tab, see Associating certificates with applications.

Compliance Tab

 

The Compliance tab provides an assessment of the certificate’s compliance with its parent folder.

For more information, see Determining certificate compliance.

Certificate Value

n/a

The Certificate Value column lists the certificate values as they are currently defined in the certificate. Certificate Values are listed as being in or out of policy.

Renewal Value

n/a

The Renewal Value column lists the certificate values currently defined in the Certificate object. Renewal values also reflect policy status.

History Tab

 

n/a

The Certificate History tab lists the common name, serial number, issuer, and valid dates for each edition of the certificate associated with the current Certificate object. Each time a new certificate is issued or an existing certificate is renewed, Venafi TLS Protect adds another entry to the Certificate object’s History tab.

The Certificate History tab indicates the certificate(s) for which Trust Protection Platform has submitted a revocation request.

For more information, see About Viewing Certificate History.

Revoke

n/a

Submits a revocation request to the certificate CA for previous versions of the certificate that have not yet expired. For example, if you renew a certificate several months before it expires, you could provision the certificate on all of its associated servers. Then, after ensuring everything is functioning properly, you could revoke all previous, valid versions of the certificate from the Certificate > History tab.

For more information, see About revoking certificates manually.

Monitoring Tab

The Monitoring tab defines the parameters for certificate expiration events.

The recipients and delivery method (email, SNMP trap, etc.) for expiration notifications are defined in Notification and Channel objects. You must configure the channel and notification objects to send notifications for expiration events. For more information, see Managing certificate notifications.

You can define monitoring settings at the policy level. To configure the certificate object’s monitoring settings, go to the Settings > Monitoring tab in the Policy object configuration. The certificate object monitoring settings defined in the Policy object may be inherited by all subordinate Certificate objects. For more information, see Policy object monitoring settings.

Settings

Disabled

Disables monitoring for the current Certificate object.

Expiration Events

Start generating events

Number of days before a certificate expires that you want to start generating expiration events.

Send event every

Frequency (in days) at which you want Trust Protection Platform to generate expiration events.

Escalation Expiration Events

Start escalating events

Number of days before a certificate expires that you want to start generating escalated expiration events.

Send event every

Frequency (in days) at which you want Trust Protection Platform to generate escalated expiration events.

Validation Tab

Trust Protection Platform provides Network Validation for Certificate objects. During the Network Validation process, Trust Protection Platform sends an SSL request to the certificate’s server. If the server responds to the SSL request, Trust Protection Platform retrieves the certificate’s serial number and compares it to the certificate that Trust Protection Platform has archived for the corresponding Certificate object.

The purpose of Network Validation is to confirm that the certificate is functional and to verify that the correct certificate is being used. If the server responds to the SSL request, Trust Protection Platform knows the certificate is functional. When it retrieves the certificate serial number, Trust Protection Platform can determine if the correct certificate is being used.

When you enable Network Validation on the Certificate object, the Validation Manager module runs daily validation checks and reports the results on the object Summary and Validation tab.

For more information, see About certificate and application validation.

Options

Disable

No

Disables all validation for the current Certificate object, including all validation-based notifications.

Network Settings

The purpose of Network Validation is to confirm that the certificate is functional and to verify that the correct certificate is being used. Network Validation requires network access to the server where the application is installed.

Validation Disabled

Disables Network Validation for the current Application object, including all related notifications.

You can also disable Network Validation at the policy level. To disable Network Validation via Policy, go to the Settings > Certificate tab in the Policy object configuration. Disabling Network Validation in the Policy object disables Network Validation for all subordinate Network Certificate objects. For more information, see Policy object certificate settings.

Validation Host

No

Determines how Trust Protection Platform identifies the host server where the certificate is installed.

Use Certificate Common Name: (Default) Uses a DNS lookup to resolve the certificate’s Common Name. It then validates the certificate at every IP address returned from the DNS lookup.

Venafi TLS Protect can validate using both IPv4 and IPv6 connections.

Specify Address: Allows you to specify a single IP address.

Hostname

No

IP address or hostname you want to validate.

Venafi TLS Protect supports both IPv4 and IPv6 connections.

This option is read only if you select Specify Address.

Port

Port that the Validation Manager uses to connect to the server where the application is installed.

The Validation Manager uses an SSL connection to validate the application’s associated certificate. The default port is 443.

You can also set the validation port at the policy level. To set the validation port via Policy, go to the Settings > Certificate tab in the Policy object configuration. The validation port defined in the Policy object may be inherited by all subordinate Network Certificate objects. For more information, see Policy object certificate settings.

Status

The following fields display the results of the last validation. These fields are informational only and cannot be edited. For more information on validation status messages, see Review validation results.

Last Validation

n/a

Time and date of the last validation.

Network Result

n/a

Result of the most recent Network Validation.

General Tab

Log Tab

n/a

Provides a view of all events triggered for the current object.

An administrator must have a minimum of the Read permission to view this tab.

For more information on the Log tab options, see Viewing log events.

Permissions tab

n/a

On the Permissions tab, you select the users or groups to whom you want to grant permissions to the current object. Then, you select which permissions you want the users or groups to have. You can also manage object permissions via parent objects, including the root Platform object or the Trust Protection Platform server object (found in the Platforms tree).

If you configure Permissions in a parent object, those permissions are inherited by all subordinate objects.