Certificate Search Page

The search function allows you to query the database for information. The same query structure is used in multiple locations within the Keyfactor Command Management Portal.

When you first open the page, you will see the simple search option. To execute a search, select the field and comparison operators in the dropdowns and type something on which to search in the value field (if applicable). If you select an "is null" or "is not null" comparison operator, the value field will be grayed out. Click the Search button to execute the query.

Each query consists of three parts:

The available fields for querying vary depending on the area of the Management Portal in which the search is used. On this page, the queries can be done on the following built-in fields:

The certificate’s archived key has been encrypted and saved to the Keyfactor Command database (true/false).

Numeric matches with the Keyfactor Command reference ID for the certificate.

Complete or partial matches with the certificate issuing CAClosed A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. logical nameClosed The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two)..

The certificate state; Unknown, Active, Revoked, CertificateAuthority, ParentCertificateAuthority.

Complete or partial matches with the fully qualified domain name of the computer hosting one or more certificate stores.

This field has an alias of JavaKeystoreFQDN that may be used when querying the field from the Keyfactor APIClosed A set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command..

Complete or partial matches on the full path to a certificate store—e.g. /opt/application/mystore.jks or c:\program files\application\mystore.jks.

This field has an alias of JavaKeystorePath that may be used when querying the field from the Keyfactor API.

Certificate is in a certificate store that is included in the container criteria indicated.

Complete or partial matches with the certificate common nameClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com)..

This field has an alias of IssuedCN that may be used when querying the field from the Keyfactor API.

Complete or partial matches with the certificate distinguished name.

This field has an alias of IssuedDN that may be used when querying the field from the Keyfactor API.

Certificate expiration before, after, or on a specified date. Supports the %TODAY% token (see Advanced Searches). Be sure to check the Include Expired checkbox to view expired certificates.

This field has an alias of NotAfter that may be used when querying the field from the Keyfactor API.

Complete or partial matches with the certificate templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. OIDClosed Object identifiers or OIDs are a standardized system for identifying any object, concept, or "thing" with a globally unambiguous persistent name..

Complete or partial matches with the certificate template Name.

Certificate private keyClosed Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. encrypted and stored in the Keyfactor Command database (true/false).

The certificate imported to Keyfactor Command before, after, or on a specified date.

Certificate issuance before, after, or on a specified date. Supports the %TODAY% token (see Advanced Searches).

This field has aliases of NotBefore and EffectiveDate that may be used when querying the field from the Keyfactor API.

Complete or partial matches with the certificate issuer’s distinguished name.

Complete or partial matches with the certificate key sizeClosed The key size or key length is the number of bits in a key used by a cryptographic algorithm..

This field has an alias of KeySizeInBits that may be used when querying the field from the Keyfactor API.

The selected certificate key typeClosed The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519).; Unknown, RSA, DSA, ECCClosed Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers., DH.

Certificate includes or doesn't include (or is null or not null for) the selected key usage; CRLSign, DataEncipherment, DecipherOnly, DigitalSignature, EncipherOnly, KeyAgreement, KeyCertSign, KeyEncipherment, NonRepudiation.

Complete or partial matches with the certificate principal name in NetBIOS format (DOMAIN\username). Supports the %ME% token (see Advanced Searches).

This field has an alias of PrincipalName that may be used when querying the field from the Keyfactor API.

Complete or partial matches with the certificate requester’s name in NetBIOS format (DOMAIN\username). Supports the %ME% token (see Advanced Searches).

This field has an alias of RequesterName that may be used when querying the field from the Keyfactor API.

Complete or partial matches with the certificate organizational unit.

Exact matches with the certificate public keyClosed In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. in hexadecimal or base64 format.

Certificate revocation before, after, or on a specified date, or is null or not null. Be sure to check the Include Revoked checkbox to view revoked certificates. Supports the %TODAY% token (see Advanced Searches).

This field has an alias of RevocationEffDate that may be used when querying the field from the Keyfactor API.

Complete or partial matches with the name of the user (DOMAIN\username format) who revoked the certificate. Be sure to check the Include Revoked checkbox to view revoked certificates.

Certificate is compliant with RFC 2818 (contains a DNSClosed The Domain Name System is a service that translates names into IP addresses. SANClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.) (true/false).

Certificate is self-signed (true/false).

Complete, or starts/ends with, or null/not null matches with the certificate serial number.

Complete or partial matches with the certificate signing algorithm.

Complete or partial matches with the DNS name resolved for an SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server..

Complete, or starts/ends with, or null/not null matches with the IP address defined for an SSL endpoint.

This field has an alias of SslHostName that may be used when querying the field from the Keyfactor API.

Complete, or starts/ends with, or null/not null matches with the network name under which an SSL endpoint was found.

Complete or partial numeric matches with the port number defined for an SSL endpoint.

Complete or partial matches with the certificate subject alternate name(s).

Complete or partial matches with the certificate template display name.

This field has an alias of TemplateName that may be used when querying the field from the Keyfactor API.

Complete or partial matches with the certificate template name.

Complete or partial matches with the certificate thumbprint value.

You can also do queries based on user-defined metadataClosed Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. fields (see Certificate Metadata).

The query comparison operators vary depending on the type of field selected and the specific properties of the field. The list below shows the dropdown list comparison operators, as well as the equivalent query language syntax (in parentheses).

Most string fields (the vast majority of the built-in fields) support:

  • Is equal to (-eq)
  • Is not equal to (-ne)
  • Contains (-contains)
  • Does not contain (-notcontains)
  • Starts with (-startswith)
  • Ends with (-endswith)
  • Is null (-eq NULL)
  • Is not null (-ne NULL)

Most date and integer fields support:

  • Is equal to (-eq)
  • Is not equal to (-ne)
  • Is less than (-lt)
  • Is less than or equal to (-le)
  • Is greater than (-gt)
  • Is greater than or equal to (-ge)
  • Is null (-eq NULL)
  • Is not null (-ne NULL)

Most Boolean (true/false) fields support:

  • Is equal to (-eq)
  • Is not equal to (-ne)
  • Is null (-eq NULL)
  • Is not null (-ne NULL)

The value you enter for comparison must match the field type. For example, integer fields only support numerical values. String fields support all alphanumeric characters. Boolean fields only support True or False. The value field is not case sensitive. Date fields support only properly formatted dates and will initially display as mm/dd/yyyy. You can choose to populate the date field by:

  • Clicking in a date Value field to open a pop-up calendar to select a date that will populate the field.
  • Clicking in a segment of the date format (i.e., mm/dd/yyyy) and entering a value. As you continue to type in any one segment, the cursor will keep moving onto the next segment.

The results that match your search criteria will be displayed in the results grid below the search selection options. The results grid includes these fields:

The distinguished name of the certificate subject.

The date the certificate was imported to Keyfactor Command. This field will auto populate on any new imports/enrollments of certificates. On an upgrade, this field will be populated in existing certificates from the certificate operation history.

The date the certificate was issued or became active.

The date the certificate expires.

The common name of the certificate subject.

The distinguished name of the certificate issuer.

The short name of the template used to issue the certificate.

The identity that the certificate represents. The principal name field is populated during certificate synchronization by the user principal name (UPN) extracted from Active Directory if there is a principal name in the certificate subject alternative nameClosed The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common. (SAN).

The user or entity that requested the certificate.

The server(s), if any, that the certificate is hosted on (e.g. for SSL certificates). If the certificate is found on multiple servers, this field will show the number of servers on which it was found and the location type (e.g. "4 SSL" or "6 JKSClosed A Java KeyStore (JKS) is a file containing security certificates with matching private keys. They are often used by Java-based applications for authentication and encryption."). The specific server names can be found in the certificate details.

The key type of the certificate.

The key size of the certificate.

The certificate state options are:

Figure 28: Certificate Search

The search results can be sorted by clicking on a column header in the results grid for every column (except Certificate Locations, Key Type, and Certificate State). Click the column header again to reverse the sort order. The grid columns can be arranged in any order desired by click-holding and dragging the header of the column you wish to move. The column widths may be adjusted by click-holding and dragging the line separating two column headers.

You can click the Include Revoked and/or Include Expired buttons at the top of the results grid to toggle inclusion of revoked or expired certificates in the results. By default they are excluded.

The rest of the buttons at the top of the display grid are used to interact with the certificates displayed in the results grid. Some buttons are grayed out until you click on a grid row. Other certificate functions are available on the right-click menu. To open the right-click menu, highlight a row in the results grid and right-click. You can also double-click a certificate row in the results grid to open the Certificate Details (see Certificate Details).

To select a single row in the grid, click to highlight it and then select an operation from either the top of the grid or the right-click menu. Some of the certificate operations support action on multiple certificates at once. To select multiple rows, hold down the CTRL key and click each row on which you would like to perform an operation, or tick the check box next to the row. Then select an operation from the top of the grid. The right-click menu supports limited operations on the multiple certificates.

On any search page you can click Advanced to the right of the Search button to display the advanced search options. Click Simple to close the advanced search options again.

Multiple Criteria

Using the advanced search options, you can build a query based on multiple criteria using AND/OR logic. As with a simple search, you select a field and comparison operator in the drop-downs and then enter a comparison value, if applicable. Click Insert to add the search criteria to the query field below the selection fields. Use the selection fields to build multiple search criteria. Each time you click the insert button, an AND is added between the previous search criteria and the newly added one. You can change the AND to an OR if desired. You can use parentheses around portions of the query along with AND/OR to change the query meaning.

For example, for certificate searches:

(CN -contains "appsrvr" AND IssuedDate -ge "01/01/2022") OR (CN -contains "appsrvr" AND TemplateShortName -contains "web")

This query will return all the certificates issued on or after January 1, 2022 with the string "appsrvr" in the CNClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). and also all certificates issued at any time with the string "appsrvr" in the CN using a template referencing Web. When you have entered all the desired search criteria, click Search to execute the query. If you wish to clear the query field and start over, click the Clear button.

Note:  Multiple "OR" queries can be slow due to the nature of the query not being indexed and potentially requiring multiple queries of the database. To mitigate this, we suggest you create a collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). for the subset of certificates, using the "OR" statement as needed, then perform a search starting with that collection and adding any additional conditions using advanced search from the search page. See Saving Search Criteria as a Collection.

In addition to the options available in the query builder, three special values can be used in selected searches by typing them in directly:

  • %TODAY%
    Use the TODAY special value in place of a specific date in date queries. This option supports math operations, so you can use TODAY-10 or TODAY+30. The built-in Certificates Expiring in 7 Days collection uses this special value (see Certificate Collection Manager).
    Example:  Create a certificate search of IssuedDate -ge "%TODAY-7%" and save it as a collection called Certificates Issued in the Last Week. Create another certificate search of ExpirationDate -lt "%TODAY+60%" and save it as a collection called Certificates Expiring in the Next 60 Days. This allows you to have saved collections containing a comparison date without having to update the date in the collection.
  • %ME%
    Use the ME special value in place of a specific domain\user name in queries that match a domain\user name. The built-in My Certificates collection uses this special value (see Certificate Collection Manager).
    Example:  Create a certificate search of NetBIOSRequester -contains "%ME%" and save it as a collection. Multiple users can now use this same collection to search for all the certificates on which they were the requester in the current domain.
    Note:  Certificate collections saved using the %ME% value are not supported for use in reports or on the dashboard.
  • %ME-AN%
    Use the ME-AN special value in place of a specific user name excluding the domain. This is beneficial in environments with multiple domains where there is a desire to query for a user's certificates even if they were requested across multiple domains.
    Example:  Create a certificate search of NetBIOSRequester -contains "%ME-AN%" and save it as a collection. Multiple users can now use this same collection to search for all the certificates on which they were the requester, regardless of domain.
    Note:  Certificate collections saved using the %ME-AN% value are not supported for use in reports or on the dashboard.
Important:  The special query options of %TODAY%, %ME%, and %ME-AN% are only supported in uppercase. Lowercase equivalents (e.g. %me%) cannot be substituted.

To build a deep link with your search criteria, begin with the following URL (where KEYFACTOR_SERVER_FQDN is the FQDN of your Keyfactor Command administration server):

https://KEYFACTOR_SERVER_FQDN/keyfactorportal/CertificateCollection/Query?query=YOUR_URL_ENCODED_QUERY

Your Management Portal may have been configured to use HTTP rather than HTTPS.

Replace YOUR_URL_ENCODED_QUERY with your search criteria as built using the advanced search. The search criteria needs to be URL encoded, so, for example, spaces need to be replaced with %20 and quotation marks with %22. However, many modern browsers will automatically do this for you. A deep link using part of the example search shown above would look something like this without URL encoding:

https://keyfactor.keyexample.com/keyfactorportal/CertificateCollection/Query?query=CN -contains "appsrvr"

And with URL encoding, like this:

https://keyfactor.keyexample.com/keyfactorportal/CertificateCollection/Query?query=CN%20-contains%20%22appsrvr%22
Tip:  Click the help icon () next to the Certificate Search Page page title to open the embedded web copy of the Keyfactor Command Reference Guide to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.