Certificate status and risks explained
When reviewing the certificate inventory, the inventory list contains several columns including Status and Risks. The Status column shows the most important status of the certificate in the certificate lifecycle. The Risks column shows relevant security risks that apply to the certificate.
The two-column format highlights the most important information, the status of the certificate, while still showing the security risks for a given certificate. Both the Status and Risks columns are visible columns by default.
When the certificate renewal process is stalled for some reason, click the information icon to see specific information about the status, providing you with additional context on what actions need to be taken to resolve the issue. Additional status information is available on the certificate overview page.
List of Statuses
The following table lists the status identified for certificates, along with a brief definition of what the status means.
Since the Status column only displays one status at a time, and since a certificate could potentially have more than one of the status items identified, the table includes a Display Priority column to show which status will be shown in the Status column. If more than one status applies, the status item with the lowest display priority number will be shown.
|
Status |
Display Priority |
What It Means |
Notes |
|---|---|---|---|
|
1 |
Certificates that are retired. They are not included in the dashboard statistics, in-product reports, or licensing of the product. These certificates will be displayed on custom reports. |
||
|
2 |
A management type that can be given to certificates so that they can be reported on the dashboard but are unlicensed. Typically used during network certificate discovery when placement rules could not place certificates. Unassigned can be used temporarily until certificates can be properly classified. |
|
|
|
3 |
Certificate revocation for the current certificate was attempted but failed and produced an error. Revocations are performed for security reasons. It is important to know when the process fails. |
The application will not try again without user intervention. The user must click Retry.
|
|
|
4 |
The certificate encountered an error during initial enrollment or renewal, or there are some applications are in error. |
This state contains an information icon providing additional information about the error. |
|
|
5 |
Any certificates that require the approval of the user who is currently logged in. Includes certificates that are currently being renewed, provisioned, or revoked. Historical certificates being revoked will not show up. These requests and the approvals can currently only be done in Policy Tree. For more information on revoking historical certificates, see About revoking certificates manually. |
This state contains an information icon with additional information. |
|
|
6 |
A workflow associated with the certificate (or application) was approved and scheduled. |
|
|
|
7 |
Indicates that the processing of the certificate cannot proceed until some other Trust Protection Platform user approves the required action. |
This state contains an information icon with additional information. |
|
|
8 |
The renewal of the certificate cannot proceed until a User Provided CSR is uploaded to the certificate |
|
|
|
9 |
The revocation of the certificate is either queued or in process. |
|
|
|
10 |
The certificate is currently being installed. |
|
|
|
11 |
The certificate is either being enrolled with a Certificate Authority for the first time or is being renewed. |
|
|
|
12 |
The certificate has been revoked through the Certificate Authority. |
|
|
|
13 |
The certificate has been expired for an extended period of time. Long Term Expired are certificates that there are no plans to renew, but will be retired instead. |
The value for Expired- Long Term is configurable per user. Each user can set his or her own value.
|
|
|
14 |
The certificate has recently expired. Short term is important because it may contain certificates that have expired but with the intent to renew them. |
The value for Expired-Short Term is configurable per user. Each user can set his or her own value. The calculation is the difference between the expiration date and the Expired-Long Term value. |
|
|
15 |
Certificates that are going to expire soon. Allows the renewal process and necessary workflow approvals to take place before the certificate expires. |
The value for Expiring Soon is configurable per user. Each user can set his or her own value. |
|
|
16 |
View all certificates (even Lost certificates) but filter out any certificate that is considered Disabled/Retired. |
NOTE These status items are not displayed in the Status column, however, they are visible if you filter on these values for Status. |
|
|
17 |
Certificates that are Not Lost and Not Disabled. This is the default filter that is applied on the Certificate Inventory page. |
||
|
18 |
(This status is only visible when the specific filter is selected.) Certificates that have completed enrollment and have an issued certificate associated. |
List of Risks
The following table lists the security risks identified for certificates, along with a brief definition of what the risk means.
| Risk |
What It Means |
Notes |
|---|---|---|
|
The certificate was issued by one of the following CAs:
These certificates are flagged in some web browsers as being a potential security risk. |
When users of these browsers visit a site with one of these certificates, a security warning is displayed in the browser window. If a web site is protected by a certificate from one of these Certificate Authorities (CAs), you may want to have a new certificate issued from a different CA so people (who are using the selected web browsers) won't see the certificate warning when they visit your site. |
|
|
|
Network Validation was attempted but failed. Applies only to certificates, not devices or applications.
|
Network Validation can be turned on or off. If it's on, the system will try to validate the certificate once a day, whether the previous validation succeeded or failed. |
|
The domain name does not match any of the Allowed Domains as defined in the Domain Whitelist. See the certificate's settings. |
|
|
|
In order to meet some audit requirements, certificates need to have more than one person overseeing the processing of certificates. This means that there should be at least one Approval Workflow assigned to the certificate. This field allows Venafi Administrators to find certificates that have this security/audit risk so that dual control can be applied. |
This status was added to give customers visibility into SANS CSC 17-14, and PCI-DSS. For information on SANS CSC 17-14: https://www.sans.org/critical-security-controls/control/17. In Trust Protection Platform, every certificate renewal should have an approver. Those certificates that do not have an approver assigned are given this status. |
|
|
Certificates that have been discovered through various means but are not claimed. Responsibility for the certificate(s) has not been assigned to anyone. |
Certificates that are Lost and Found or Lost are certificates that are located in a directory that has been designated as a lost and found directory. |
|
|
The certificate uses the default owner because the Contact or Approver is empty, or it is assigned to a local admin account. |
Having a correct owner assigned to a certificate is important for several reasons including notifications for expiration or problems that occur during certificate renewal. Tracking who is responsible for a certificate ensures compliance with the following standards:
|
|
| No Provisioning Targets |
The certificate is configured for provisioning, but no installations have been configured. As a result, the certificate cannot be provisioned (installed on a device). If this risk is not mitigated, it could result in an outage since TLS Protect can't automatically provision a new certificate before the old one expires. NOTE In Aperture, this risk is shown if there are no installations of any type. In Policy Tree, a similar risk appears if there are no provisioning applications. For example, if you only have a basic installation for a certificate, Aperture will not show a risk. Policy Tree will show a risk, since a basic application cannot be used for provisioning. |
To resolve, do one of the following:
|
|
The certificate issuer is not marked as approved for issuance. |
You can either reissue the certificate with a CA that is approved for issuance or you need to add the issuer of the certificate in question to the list of CAs that are approved for issuance. |
|
|
The certificate's policy does not allow duplicate Common or Subject Alternative Names (SANs). |
|
|
|
The certificate’s validity period is longer than what is considered safe by PKI cryptographic standards. |
This is configurable via the Certificate Account Preferences. |
|
|
Certificate validation is disabled. |
|
|
|
The certificate key length is considered weak by PKI cryptographic standards. |
This is configurable via the Certificate Account Preferences. |
|
|
The certificate signing algorithm is considered weak by PKI cryptographic standards. |
This is configurable via the Certificate Account Preferences. |
|
|
The certificate's policy prevents the use of wildcard characters in the certificate's Common Name. |
If a certificate request contains a wildcard, but the policy doesn't allow for wildcards, when you try to renew the certificate, you will see this risk. To mitigate, modify the certificate request to not include a wildcard, or modify the policy to allow wildcards. |