The search function allows you to query the database for information. The same query structure is used in multiple locations within the Keyfactor Command Management Portal.
When you first open the page, you will see the simple search option. To execute a search, select the field and comparison operators in the dropdowns and type something on which to search in the value field (if applicable). If you select an is null or is not null comparison operator, the value field will be grayed out. Click the Search button to execute the query.
Each query consists of three parts:
 Query Field
Query Field
                                                            The available fields for querying vary depending on the area of the Management Portal in which the search is used. On this page, the queries can be done on the following built-in fields:
 AltKeySize
AltKeySize
                                                                            Complete or partial matches with the alternative certificate key size The key size or key length is the number of bits in a key used by a cryptographic algorithm..
 The key size or key length is the number of bits in a key used by a cryptographic algorithm..
 AltKeyAlgorithm
AltKeyAlgorithm
                                                                            The referenced certificate alternative key algorithm. Supported algorithms are:
- ML-DSA-44 A variant of the Digital Signature Algorithm (DSA) designed for high-performance and secure digital signatures. ML-DSA-44 is optimized for specific machine learning use cases or specialized systems. A variant of the Digital Signature Algorithm (DSA) designed for high-performance and secure digital signatures. ML-DSA-44 is optimized for specific machine learning use cases or specialized systems.
- ML-DSA-65 Similar to ML-DSA-44, this variant provides a larger key size and is suited for environments requiring more robust security. It is often used in cases where cryptographic strength needs to be balanced with performance. Similar to ML-DSA-44, this variant provides a larger key size and is suited for environments requiring more robust security. It is often used in cases where cryptographic strength needs to be balanced with performance.
- ML-DSA-87 An even stronger variant of ML-DSA, offering a larger key size and enhanced security features for demanding cryptographic operations. Like the others in the ML-DSA family, it is designed for specific use cases that require high-performance cryptography. An even stronger variant of ML-DSA, offering a larger key size and enhanced security features for demanding cryptographic operations. Like the others in the ML-DSA family, it is designed for specific use cases that require high-performance cryptography.
- SLH-DSA-SHA2-128F
- SLH-DSA-SHA2-128S
- SLH-DSA-SHA2-192F
- SLH-DSA-SHA2-192S
- SLH-DSA-SHA2-256F
- SLH-DSA-SHA2-256S
- SLH-DSA-SHAKE-128F
- SLH-DSA-SHAKE-128S
- SLH-DSA-SHAKE-192F
- SLH-DSA-SHAKE-192S
- SLH-DSA-SHAKE-256F
- SLH-DSA-SHAKE-256S
 AltPublicKey
AltPublicKey
                                                                            Exact matches with the certificate alternative public key In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. in hexadecimal or base64 format.
 In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. in hexadecimal or base64 format.
 AltSigningAlgorithm
AltSigningAlgorithm
                                                                            Complete or partial matches with the certificate alternative signing algorithm.
 ArchivedKey
ArchivedKey
                                                                            The certificate’s archived key has been encrypted and saved to the Keyfactor Command database (true/false).
 CA
CA
                                                                            Complete or partial matches with the certificate issuing CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. logical name
 A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. logical name The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g.  ca2.keyexample.com\Corp Issuing CA Two)..
 The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g.  ca2.keyexample.com\Corp Issuing CA Two)..
 CertificateAuthorityId
CertificateAuthorityId
                                                                            Complete or partial matches with the certificate issuing CA ID.
 CertId
CertId
                                                                            Numeric matches with the Keyfactor Command reference ID for the certificate.
 CertificateRenewed
CertificateRenewed
                                                                            Certificate has already been renewed (true) or has not yet been renewed and can potentially be renewed (false).
 CertState
CertState
                                                                            The certificate state:
- Unknown (0)—This certificate entered the system in a manner other than a CA synchronization, so no status from a CA has been reported.
- Active (1)—The normal state for certificates brought in via CA synchronization. The certificate has not been revoked.
- Revoked (2)—The certificate has been revoked either within or outside Keyfactor Command.
- Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. (6)—The certificate synchronized in from a CA synchronization that is indicated to be that CA's own certificate. This state applies to Microsoft CAs only. A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. (6)—The certificate synchronized in from a CA synchronization that is indicated to be that CA's own certificate. This state applies to Microsoft CAs only.
- Parent Certificate Authority (7)—The certificate synchronized in from a CA synchronzation that is indicated to be the certificate of a CA further up the chain. This state applies to Microsoft CAs only.
 CertStoreContainer
CertStoreContainer
                                                                            Certificate is in a certificate store that is included in the container criteria indicated.
 CertStoreFQDN
CertStoreFQDN
                                                                            Complete or partial matches with the fully qualified domain name of the computer hosting one or more certificate stores.
This field has an alias of JavaKeystoreFQDN that may be used when querying the field from the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command..
 An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command..
 CertStorePath
CertStorePath
                                                                            Complete or partial matches on the full path to a certificate store—e.g., /opt/application/mystore.jks or c:\program files\application\mystore.jks.
This field has an alias of JavaKeystorePath that may be used when querying the field from the Keyfactor API.
 CN
CN
                                                                            Complete or partial matches with the certificate common name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com)..
 A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com)..
This field has an alias of IssuedCN that may be used when querying the field from the Keyfactor API.
 DN
DN
                                                                            Complete or partial matches with the certificate distinguished name.
This field has an alias of IssuedDN that may be used when querying the field from the Keyfactor API.
 EKU
EKU
                                                                            Complete or partial matches with the extended key usage OID Object identifiers or OIDs are a standardized system for identifying any object, concept, or "thing" with a globally unambiguous persistent name.. For example, the EKU OID for Server Authentication is 1.3.6.1.5.5.7.3.1 and the EKU OID for Client Authentication is 1.3.6.1.5.5.7.3.2. A search for EKU -eq 1.3.6.1.5.5.7.3.1 will return both certificates that have Server Authentication as the only EKU and certificates that have Server Authentication along with one or more other EKUs.
 Object identifiers or OIDs are a standardized system for identifying any object, concept, or "thing" with a globally unambiguous persistent name.. For example, the EKU OID for Server Authentication is 1.3.6.1.5.5.7.3.1 and the EKU OID for Client Authentication is 1.3.6.1.5.5.7.3.2. A search for EKU -eq 1.3.6.1.5.5.7.3.1 will return both certificates that have Server Authentication as the only EKU and certificates that have Server Authentication along with one or more other EKUs.
 EKUName
EKUName
                                                                            Complete or partial matches with the extended key usage Name (e.g., Server Authentication).
 EnrollmentPatternID
EnrollmentPatternID
                                                                            Equal, not equal, not null or null matches with the Enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). Pattern ID.
 Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). Pattern ID.
 EnrollmentPatternName
EnrollmentPatternName
                                                                            Equal, not equal, not null or null matches with the Enrollment Pattern Name.
 ExpirationDate
ExpirationDate
                                                                            Certificate expiration before, after, or on a specified date. Supports the %TODAY% token (see Advanced Searches). Be sure to check the Include Expired checkbox to view expired certificates.
This field has an alias of NotAfter that may be used when querying the field from the Keyfactor API.
 HasAltPrivateKey
HasAltPrivateKey
                                                                            Certificate alternative private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. encrypted and stored in the Keyfactor Command database (true/false).
 Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. encrypted and stored in the Keyfactor Command database (true/false).
 HasPrivateKey
HasPrivateKey
                                                                            Certificate private key encrypted and stored in the Keyfactor Command database (true/false).
 ImportDate
ImportDate
                                                                            The certificate imported to Keyfactor Command before, after, or on a specified date.
 IsExcluded
IsExcluded
                                                                            Certificates that are found during an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scan or certificate store inventory will not be skipped, even if they are excluded from Keyfactor Command. In order that users have the ability to monitor such certificates, this query parser returns any certificate that exists both in the certificates table and in the exclusion list.
								Essentially, this performs an intersection of the certificates that are excluded and imported into Keyfactor Command.(true/false)
 TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. scan or certificate store inventory will not be skipped, even if they are excluded from Keyfactor Command. In order that users have the ability to monitor such certificates, this query parser returns any certificate that exists both in the certificates table and in the exclusion list.
								Essentially, this performs an intersection of the certificates that are excluded and imported into Keyfactor Command.(true/false)
									
 IsHybridCertificate
IsHybridCertificate
                                                                            Certificate has an alternative key pair In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. (true/false).
 In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. (true/false).
 IssuedDate
IssuedDate
                                                                            Certificate issuance before, after, or on a specified date. Supports the %TODAY% token (see Advanced Searches).
This field has aliases of NotBefore and EffectiveDate that may be used when querying the field from the Keyfactor API.
 IssuerDN
IssuerDN
                                                                            Complete or partial matches with the certificate issuer’s distinguished name.
 KeyfactorRequestId
KeyfactorRequestId
                                                                            Numeric matches with the Keyfactor Command reference ID for the certificate request.
 KeyAlgorithm
KeyAlgorithm
                                                                            The referenced certificate key algorithm. Supported algorithms are:
- RSA A widely used public-key cryptosystem, RSA is commonly used for encryption and digital signatures. It is based on the mathematical difficulty of factoring large integers. A widely used public-key cryptosystem, RSA is commonly used for encryption and digital signatures. It is based on the mathematical difficulty of factoring large integers.
- DSA
- ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers. Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers.
- Ed448 A high-security elliptic curve algorithm, Ed448 is used for digital signatures and is known for providing very strong security while maintaining high performance. It is part of the Edwards-curve Digital Signature Algorithm (EdDSA) family. A high-security elliptic curve algorithm, Ed448 is used for digital signatures and is known for providing very strong security while maintaining high performance. It is part of the Edwards-curve Digital Signature Algorithm (EdDSA) family.
- Ed25519 Another member of the EdDSA family, Ed25519 is designed for high security and speed. It is widely used in modern cryptography and provides robust protection with a 256-bit key size. Another member of the EdDSA family, Ed25519 is designed for high security and speed. It is widely used in modern cryptography and provides robust protection with a 256-bit key size.
- ML-DSA-44
- ML-DSA-65
- ML-DSA-87
- SLH-DSA-SHA2-128F
- SLH-DSA-SHA2-128S
- SLH-DSA-SHA2-192F
- SLH-DSA-SHA2-192S
- SLH-DSA-SHA2-256F
- SLH-DSA-SHA2-256S
- SLH-DSA-SHAKE-128F
- SLH-DSA-SHAKE-128S
- SLH-DSA-SHAKE-192F
- SLH-DSA-SHAKE-192S
- SLH-DSA-SHAKE-256F
- SLH-DSA-SHAKE-256S
 KeySize
KeySize
                                                                            Complete or partial matches with the certificate key size.
This field has an alias of KeySizeInBits that may be used when querying the field from the Keyfactor API.
 KeyUsage
KeyUsage
                                                                            Certificate includes or doesn't include (or is null or not null for) the referenced key usage. Supported key usages are:
- 
                                                                                                CRLSign 
- 
                                                                                                DataEncipherment 
- 
                                                                                                DecipherOnly 
- 
                                                                                                DigitalSignature 
- 
                                                                                                EncipherOnly 
- 
                                                                                                KeyAgreement 
- 
                                                                                                KeyCertSign 
- 
                                                                                                KeyEncipherment 
- 
                                                                                                NonRepudiation 
 NetBIOSPrincipal
NetBIOSPrincipal
                                                                            Complete or partial matches with the Active Directory principal name in the certificate in NetBIOS format (DOMAIN\username). Supports the %ME% token (see Advanced Searches).
This field has an alias of PrincipalName that may be used when querying the field from the Keyfactor API.
 NetBIOSRequester
NetBIOSRequester
                                                                            Complete or partial matches with the certificate requester’s name. For implementations authenticated using Active Directory, this will be in NetBIOS format (DOMAIN\username). For implementations authenticated using OAuth, this will be in the format defined by the Name Claim Type. Supports the %ME% token (see Advanced Searches).
This field has an alias of RequesterName that may be used when querying the field from the Keyfactor API.
 OU
OU
                                                                            Complete or partial matches with the certificate organizational unit.
 OwnerRoleName
OwnerRoleName
                                                                            Complete matches with one or more certificate owners (security roles) for the certificate(s). Multiple certificate owners should be separated by commas. Multiple values are only supported with the -in and -notin operators. For example:
Supports the %ROLES% token (see Advanced Searches).
 PublicKey
PublicKey
                                                                            Exact matches with the certificate public key in hexadecimal or base64 format.
 RevocationDate
RevocationDate
                                                                            Certificate revocation before, after, or on a specified date, or is null or not null. Be sure to check the Include Revoked checkbox to view revoked certificates. Supports the %TODAY% token (see Advanced Searches).
This field has an alias of RevocationEffDate that may be used when querying the field from the Keyfactor API.
 Revoker
Revoker
                                                                            Complete or partial matches with the name of the user who revoked the certificate. For implementations authenticated using Active Directory, this will be in NetBIOS format (DOMAIN\username). For implementations authenticated using OAuth, this will be in the format defined by the Name Claim Type. Be sure to check the Include Revoked checkbox to view revoked certificates.
 RFC2818Compliant
RFC2818Compliant
                                                                            Certificate is compliant with RFC 2818 (contains a DNS The Domain Name System is a service that translates names into IP addresses. SAN
 The Domain Name System is a service that translates names into IP addresses. SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.) and has an EKU of Server Authentication (true/false).
 The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.) and has an EKU of Server Authentication (true/false).
 SelfSigned
SelfSigned
                                                                            Certificate is self-signed (true/false).
 SerialNumber
SerialNumber
                                                                            Complete, or starts/ends with, or null/not null matches with the certificate serial number.
 SigningAlgorithm
SigningAlgorithm
                                                                            Complete or partial matches with the certificate signing algorithm.
 SSLDNSName
SSLDNSName
                                                                            Complete or partial matches with the DNS name resolved for an SSL endpoint An endpoint is a URL that enables the API to gain access to resources on a server..
 An endpoint is a URL that enables the API to gain access to resources on a server..
 SSLIPAddress
SSLIPAddress
                                                                            Complete, or starts/ends with, or null/not null matches with the IP address defined for an SSL endpoint.
This field has an alias of SslHostName that may be used when querying the field from the Keyfactor API.
 SSLNetworkName
SSLNetworkName
                                                                            Complete, or starts/ends with, or null/not null matches with the network name under which an SSL endpoint was found.
 SSLPort
SSLPort
                                                                            Complete or partial numeric matches with the port number defined for an SSL endpoint.
 SAN
SAN
                                                                            Complete or partial matches with the certificate subject alternate name(s).
 TemplateDisplayName
TemplateDisplayName
                                                                            Complete or partial matches with the certificate template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. display name.
 A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. display name.
This field has an alias of TemplateName that may be used when querying the field from the Keyfactor API.
 TemplateShortName
TemplateShortName
                                                                            Complete or partial matches with the certificate template name.
 TemplateId
TemplateId
                                                                            Complete or partial matches with the certificate template ID.
 Thumbprint
Thumbprint
                                                                            Complete or partial matches with the certificate thumbprint value.
You can also do queries based on user-defined metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In  Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. fields (see Certificate Metadata).
 Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In  Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. fields (see Certificate Metadata).
 Comparison Operator
Comparison Operator
                                                            The query comparison operators vary depending on the type of field selected and the specific properties of the field. The list below shows the dropdown list comparison operators, as well as the equivalent query language syntax (in parentheses).
Most string fields (the vast majority of the built-in fields) support:
- Is equal to (-eq)
- Is not equal to (-ne)
- Contains (-contains)
- Does not contain (-notcontains)
- Starts with (-startswith)
- Ends with (-endswith)
- Is null (-eq NULL)
- Is not null (-ne NULL)
Most date and integer fields support:
- Is equal to (-eq)
- Is not equal to (-ne)
- Is less than (-lt)
- Is less than or equal to (-le)
- Is greater than (-gt)
- Is greater than or equal to (-ge)
- Is null (-eq NULL)
- Is not null (-ne NULL)
Most Boolean (true/false) fields support:
- Is equal to (-eq)
- Is not equal to (-ne)
- Is null (-eq NULL)
- Is not null (-ne NULL)
 Comparison Value
Comparison Value
                                                            The value you enter for comparison must match the field type. For example, integer fields only support numerical values. String fields support all alphanumeric characters. Boolean fields only support True or False. The value field is not case sensitive. Date fields support only properly formatted dates and will initially display as mm/dd/yyyy. You can choose to populate the date field by:
- Clicking in a date Value field to open a pop-up calendar to select a date that will populate the field.
- Clicking in a segment of the date format (i.e., mm/dd/yyyy) and entering a value. As you continue to type in any one segment, the cursor will keep moving onto the next segment.
The results that match your search criteria will be displayed in the results grid below the search selection options.
Issued DN
The distinguished name of the certificate subject.
Import Date
The date the certificate was imported to Keyfactor Command. This field will auto populate on any new imports/enrollments of certificates. On an upgrade, this field will be populated in existing certificates from the certificate operation history.
Effective Date
The date the certificate was issued or became active.
Expiration Date
The date the certificate expires.
Issued CN
The common name of the certificate subject.
Issuer DN
The distinguished name of the certificate issuer.
Certificate Template
The short name of the template used to issue the certificate.
Principal Name
The identity that the certificate represents. The principal name field is populated during certificate synchronization by the user principal name (UPN) extracted from Active Directory if there is a principal name in the certificate subject alternative name The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. (SAN).
 The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. (SAN).
Requester
The user or entity that requested the certificate.
Locations
The server(s), if any, that the certificate is hosted on (e.g., for SSL certificates). If the certificate is found on multiple servers, this field will show the number of servers on which it was found and the location type (e.g., 4 SSL or 6 JKS). The specific server names can be found in the certificate details.
KeyAlgorithm
The key algorithm of the certificate in the format of Friendly Name (OID).
Key Size
The key size of the certificate.
Certificate State
The certificate state options are:
- Unknown (0)
- Active (1)
- Revoked (2)
- Certificate Authority (6)
- Parent Certificate Authority (7)
The search results can be sorted by clicking on a column header in the results grid for every column (except Certificate Locations, Key Type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519)., and Certificate State). Click the column header again to reverse the sort order. The grid columns can be arranged in any order desired by click-holding and dragging the header of the column you wish to move. The column widths may be adjusted by click-holding and dragging the line separating two column headers.
 The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519)., and Certificate State). Click the column header again to reverse the sort order. The grid columns can be arranged in any order desired by click-holding and dragging the header of the column you wish to move. The column widths may be adjusted by click-holding and dragging the line separating two column headers.
You can check the Include Revoked and/or Include Expired boxes at the top of the results grid to toggle inclusion of revoked or expired certificates in the results. By default they are excluded.
The rest of the buttons at the top of the display grid are used to interact with the certificates displayed in the results grid. Some buttons are grayed out until you click on a grid row. Other certificate functions are available on the right-click menu. To open the right-click menu, highlight a row in the results grid and right-click. You can also double-click a certificate row in the results grid to open the Certificate Details (see Certificate Details).
To select a single row in the grid, click to highlight it and then select an operation from either the top of the grid or the right-click menu. Some of the certificate operations support action on multiple certificates at once. To select multiple rows, hold down the CTRL key and click each row on which you would like to perform an operation, or tick the check box next to the row. Then select an operation from the top of the grid. The right-click menu supports limited operations on the multiple certificates.
 Advanced Searches
Advanced Searches
                                                            On any search page you can click Advanced to the right of the Search button to display the advanced search options. Click Simple to close the advanced search options again.
Multiple Criteria
Using the advanced search options, you can build a query based on multiple criteria using AND/OR logic. As with a simple search, you select a field and comparison operator in the drop-downs and then enter a comparison value, if applicable. Click Insert to add the search criteria to the query field below the selection fields. Use the selection fields to build multiple search criteria. Each time you click the insert button, an AND is added between the previous search criteria and the newly added one. You can change the AND to an OR if desired. You can use parentheses around portions of the query along with AND/OR to change the query meaning.
For example, for certificate searches:
This query will return all the certificates issued on or after January 1, 2022 with the string appsrvr in the CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). and also all certificates issued at any time with the string appsrvr in the CN using a template referencing web. When you have entered all the desired search criteria, click Search to execute the query. If you wish to clear the query field and start over, click the Clear button.
 A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). and also all certificates issued at any time with the string appsrvr in the CN using a template referencing web. When you have entered all the desired search criteria, click Search to execute the query. If you wish to clear the query field and start over, click the Clear button.
 The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates  and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). for the subset of certificates, using the OR statement as needed, then perform a search starting with that collection and adding any additional conditions using advanced search from the search page. See Saving Search Criteria as a Collection.
 The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates  and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). for the subset of certificates, using the OR statement as needed, then perform a search starting with that collection and adding any additional conditions using advanced search from the search page. See Saving Search Criteria as a Collection.In addition to the options available in the query builder, several special values can be used in selected searches by typing them in directly:
- 
                                                                            %TODAY% Use the TODAY special value in place of a specific date in date queries. This option supports math operations, so you can use TODAY-10 or TODAY+30. The built-in Certificates Expiring in 7 Days collection uses this special value (see Certificate Collection Management). Example: Create a certificate search of IssuedDate -ge "%TODAY-7%" and save it as a collection called Certificates Issued in the Last Week. Create another certificate search of ExpirationDate -lt "%TODAY+60%" and save it as a collection called Certificates Expiring in the Next 60 Days. This allows you to have saved collections containing a comparison date without having to update the date in the collection.
- 
                                                                            %ME% Use the ME special value in place of a specific domain\user name in queries that match a domain\user name. The built-in My Certificates collection uses this special value (see Certificate Collection Management). Example: Create a certificate search of NetBIOSRequester -contains "%ME%" and save it as a collection. Multiple users can now use this same collection to search for all the certificates on which they were the requester in the current domain.Note: Certificate collections saved using the %ME% value are not supported for use in reports or on the dashboard.
- 
                                                                            %ME-AN% Use the ME-AN special value in place of a specific user name excluding the domain. This is beneficial in environments with multiple domains where there is a desire to query for a user's certificates even if they were requested across multiple domains. Example: Create a certificate search of NetBIOSRequester -contains "%ME-AN%" and save it as a collection. Multiple users can now use this same collection to search for all the certificates on which they were the requester, regardless of domain.Note: Certificate collections saved using the %ME-AN% value are not supported for use in reports or on the dashboard.
- 
                                                                            %ROLES% Use the ROLES special value in place of a specific security role in Owner Role Name queries to return all the certificates that are either marked as owned by a role of which the querying user is a member or not marked as owned by a role of which the querying user is a member. This option can be used only with the -in and -notin operators. Example: Create a certificate search of OwnerRoleName -in "%ROLES%" and save it as a collection called Certificates Owned by My Roles. Multiple users can now use this same collection to view all the certificates in their owner group and take actions on them as applicable. Each user potentially sees a subset of all the certificates in the collection. Let’s say you have security roles Alpha, Beta, and Gamma and users assigned to security role Alpha should only see certificates of a certain type, users assigned to security role Beta should only see certificates of a different type, and users assigned to security role Gamma should only see certificates of a third type. You could create three different certificate collections, each containing only the certificates that the users in Alpha, Beta, and Gamma should see, respectively, and grant certificate collection permissions on these so that only the Alpha users had access to the alpha collection and so forth. But, with the %ROLES% token, you can create a single collection that contains the certificates that all three groups of users should be able to see plus the OwnerRoleName -in "%ROLES%" search string, assign certificate ownership on the certificates appropriately so that the Alpha users own the certificates they should see and so forth, and when an Alpha user opens the collection, he sees only the certificates he should see while when a Beta user opens the collection, he sees different certificates—the certificates he should see.Note: Certificate collections saved using the %ROLES% value are not supported for use in reports or on the dashboard.Note: If the user’s roles have changed, it may take a few minutes for the query to update to reflect the user’s new role membership.
To build a deep link with your search criteria, begin with the following URL (where KEYFACTOR_SERVER_FQDN is the FQDN of your Keyfactor Command administration server):
Your Management Portal may have been configured to use HTTP rather than HTTPS.
Replace YOUR_URL_ENCODED_QUERY with your search criteria as built using the advanced search. The search criteria needs to be URL encoded, so, for example, spaces need to be replaced with %20 and quotation marks with %22. However, many modern browsers will automatically do this for you. A deep link using part of the example search shown above would look something like this without URL encoding:
And with URL encoding, like this:
 ) next to the
) next to the You can also find the help icon ( ) at the top of the page next to the Log Out button. From here you can choose to open either the  Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.
) at the top of the page next to the Log Out button. From here you can choose to open either the  Keyfactor Software & Documentation Portal at the home page or the Keyfactor API Endpoint Utility.
Keyfactor provides two sets of documentation: the On-Premises Documentation Suite and the Managed Services Documentation Suite. Which documentation set is accessed is determined by the Application Settings: On-Prem Documentation setting (see Application Settings: Console Tab).
Was this page helpful? Provide Feedback