Configuring value thresholds using Account Preferences

Throughout Venafi Platform, the system shows you information based on thresholds that you create to ensure you are protecting your key and certificate data in accordance with your organization's policies and objectives. Venafi Platform is designed to give you flexibility in providing warnings based on thresholds you define. These thresholds affect not only the data you see across the dashboards, but also apply to the way keys and certificates are reported to you throughout Venafi Platform.

Users can access the Account Preferences screen to configure these thresholds for themselves. Additionally, system administrators can set and lock values, so all users in the organization must use the same settings.

Setting threshold values for an individual

1. On the menu, click the user icon, then click Preferences.
2. From the left, select a product (TLS Protect & Client Protect; SSH Protect; or CodeSign Protect) depending on which settings you with to modify.
3. Modify the threshold values as needed.
4. Click Save.

Setting threshold values across the organization

1. Log in as the master admin.
2. On the menu, click on the user icon, then click Preferences.
3. From the left, select a product (TLS Protect & Client Protect; SSH Protect; or CodeSign Protect) depending on which settings you with to modify.
4. Modify the threshold values as needed.

5. Click the lock icon to prevent others in your organization from setting a different personal value. If the value is locked, and you want users to be able to configure this value for themselves, click the unlock icon .

   NOTE  Modifying these values without locking them will only modify them for your account, not for other users in your organization.

6. Click Save.

TLS Protect and Client Protect settings

Account Preferences settings for TLS Protect and Endpoint Protect

Name	Default	Description
Flag certificates with a key smaller than	2048 (Bits)	For some key types, smaller key lengths can be less secure, and you may want to ensure small keys are flagged by the system. This value is stored in bits.
Flag certificates with a validity period greater than	397 (Days)	Certificates with long validity periods may be more susceptible to being compromised. Set this value in days. (The default is 397 days.)1  In version 20.3 and older, the default value was 820 days, however the major browser vendors no longer accept public certificates with a validity period longer than 397 days. If you had a version of Venafi Platform earlier than 20.4 and you left this value at the default, upon upgrade to 20.4 (or later) the new default of 397 days will apply. However, if you had customized this value, upon upgrade to 20.4 (or later) your previous custom value will be used.
Approved Signing Algorithm	SHA256, SHA384, SHA512	Select from the list of signing algorithms the ones you want to trust as 'approved.' Certificates with signing algorithms not in this list will be marked as a security risk. To see a full list of algorithms, click inside the box.
Flag certificates as Expired - Long Term if expired for longer than	30 (Days)	Expired certificates are grouped into two categories: (1) Expired - short term; and (2) Expired - long term. This helps you with analysis and reporting to recognize items that have recently expired so you can take action on them, if necessary. Set this value in days.
Flag certificates as Expiring Soon if expiring in less than	30 (Days)	To give you enough time to take action on a soon-to-expire certificate, the system begins warning you before a certificate will expire. This value controls how early you want to be alerted to expiring certificates. Set this value in days.
Flag certificates that are	Within the second half of their renewal period	Helps you identify certificates that need renewal only after they have reached a point in their life cycle (half way, for example). This is more flexible than a number of days, as it takes into account the overall validity period.

SSH Protect settings

Account Preferences settings for TLS Protect and Endpoint Protect

Name	Default	Description
Flag keys with a key smaller than	1024 (Bits)	Smaller keys are typically less secure keys, and you may want to ensure small keys are flagged by the system. This value is stored in bits.
Flag keys as Unused Authorized Keys if not used for	365 (Days)	SSH Protect tracks authorized key usage. If an authorized key has not been used for a long period of time it may be time to remove the key so it no longer has any access to your systems. This helps protect your system so old keys can't be used to access the system by somebody who is no longer authorized to have access. Set this value in days.

CodeSign Protect settings

On the CodeSign Protect User Preferences, you can re-enable the First Project dialog, as if you are logging into the product for the first time. Click Clear Setting to see this dialog again.