The Expiration Report includes table(s) showing detailed information for certificates expiring and expired within the next 12 weeks and CA
A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. certificates expiring and expired within the next 2 1/2 years. Expired certificates are only included if they have expired within the last 4 weeks.
Figure 75: Certificate Expiration Report: Certificates Expiring within One Week
The export options for the Expiration report are Excel and PDF. The PDF exports in landscape format to accommodate the wide width of the report.
The report includes the following tables:
- Expired Certificates (within the last 4 weeks)
- Certificates less than 1 week from expiration
- Certificates less than 2 weeks from expiration
- Certificates less than 4 weeks from expiration
- Certificates less than 6 weeks from expiration
- Certificates less than 8 weeks from expiration
- Certificates less than 12 weeks from expiration
In addition, tables are shown for CA certificates expiring in the following timeframes relative to the selected report date:
-
CA certificates less than 6 months from expiration
-
CA certificates less than 12 months from expiration
-
CA certificates less than 18 months from expiration
-
CA certificates less than 24 months from expiration
-
CA certificates less than 30 months from expiration
A table is only shown if a certificate or CA in the collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). matches the expiration time window. A certificate or CA appears in only one table, so, for example, a certificate expiring within 4 weeks does not also appear as expiring within 6 weeks.
The report tables include these fields:
- CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). (Common Name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).)
- Template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.
- Issued On
- Expires On (this is the default sort order)
- Requested By
- Thumbprint
- Serial (Number)
- Issuer (Distinguished Name)
- Metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In the context of Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. (optional)
Column handling on this report grid has the following features:
- To change the width of a column of the report, hover over the triangle of dots on the right side of the selected column header (
). Click, hold and drag the triangle to change the width of the column. - To rearrange columns on the report display, hover over the rectangle of dots on the left side of the selected column header (
). Click, hold, and drag the rectangle to move the column to your selected location. - Most columns can be sorted in ascending order by clicking on the header of the column. Click the column header again to reverse the sort order.
The input parameters for this report are:
- The certificate collection to report on, including the built-in All Certificates collection. The default is All Certificates.
- The evaluation date to report on. The default is the current date.
- The metadata field(s) to include, if desired.
De-duping is configured on a certificate collection by setting the Ignore renewed certificate results by option when saving a certificate collection (see Saving Search Criteria as a Collection). Certificate collections may be configured to be de-duplicated based on the certificate common name, distinguished name, or principal name (or not at all). Only certificates that share all the EKUs (e.g. Client Authentication and Server Authentication) as well as the same CN, DN A distinguished name (DN) is the name that uniquely identifies an object in a directory. In the context of Keyfactor Command, this directory is generally Active Directory. A DN is made up of attribute=value pairs, separated by commas. Any of the attributes defined in the directory schema can be used to make up a DN. or UPN will be eliminated as duplicates. If a certificate has more than one EKU and at least one EKU does not match an otherwise similar certificate with matching CN, DN or UPN, it will not be eliminated.
For example, if the de-duplication logic was set to DN and the report would include these two certificates:
Certificate one:
- DN: CN=appsrvr14.keyexample.com,OU=IT,O=Key Example, Inc.,L=Chicago,ST=IL,C=US
EKUs: Server Authentication
Issued Date: December 1, 2022
Expiration Date: January 1, 2024
Certificate two:
DN: CN=appsrvr14.keyexample.com,OU=IT,O=Key Example, Inc.,L=Chicago,ST=IL,C=US
EKUs: Server Authentication
Issued Date: December 15, 2022
Expiration Date: December 14, 2023
The de-duplication logic would be triggered because the DNs and EKUs match. The report would include certificate two and leave out certificate one. Notice that certificate two is retained even through certificate one expires after certificate two. This is because certificate two was issued after certificate one.
Now imagine that the de-duplication logic is set to CN and the report would include these two certificates:
Certificate one:
DN: CN=appsrvr14.keyexample.com,OU=IT,O=Key Example, Inc.,L=Chicago,ST=IL,C=US
EKUs: Server Authentication
Issued Date: December 1, 2022
Expiration Date: January 1, 2024
Certificate two:
DN: CN=appsrvr14.keyexample.com,OU=HR,O=Key Example, Inc.,L=Chicago,ST=IL,C=US
EKUs: Server Authentication, Client Authentication
Issued Date: December 15, 2022
Expiration Date: December 14, 2023
Although the DNs for these certificates do not match, the CNs still do, so this matches the de-duplication logic of CN. However, the EKUs for these two certificates do not match, since only one of them includes Client Authentication. In this case, both certificates would appear on the report.