To view an existing certificate collection
The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports)., either browse to the Certificates dropdown on the Management Portal menu and select the desired collection from the dropdown (if the collection has Show in Navigator set as Yes), or browse to Certificates > Collection Manager from the Management Portal and then select View, or double-click the row, from the Certificate Collection Management grid. When you select the collection for viewing, the search will begin immediately and the certificate search grid will open with the results from the collection. For information on using the certificate search grid, see Certificate Search Page.
Figure 63: View Collection
When viewing an existing collection, you can further refine the collection query by including additional selection criteria in the query field, but these are used in addition to the base query. You are not allowed to clear the base query for the collection, which is displayed above the advanced query field. For example, for the collection shown in Figure 64: Collection with Query Modification, if the user added this in the query field:
The query would return all the certificates issued in the last 30 days with the string appsrvr in the CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). using a template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. referencing web but without the string keyother in the CN—in other words, the web server certificates for application servers issued in the last 30 days for the keyexample.com domain but not the web server certificates for application servers issued in the last 30 days for the keyother.com domain.
Available operations on a certificate collection include; Save, Save As, Delete Collection or view Permissions on the certificate collection.
Click Save to edit an existing collection. Click Save As to create a new collection based on the existing collection. You can then edit the search criteria for the new collection without affecting the existing collection. You may change the following about the collection from these options:
- The collection Name.
- The collection Description.
-
The collection query Content.
Users with global read permissions for collections will see the existing collection query in the Content field of the Save Collection dialog with either the Save or Save As option and may edit the existing collection query. Users with collection-level read permissions only (not global read) will not see the existing collection query in the Content field. These users will only be able to append to the existing collection query. Any query added to the Content field will be added with an AND clause together with the existing query. This is done to prevent users with collection-level read permissions from potentially widening the scope of the query and seeing certificates they aren’t supposed to see.
If you select the Include Revoked or Include Expired check box before clicking Save or Save As, the Content field of the Save Collection dialog will be populated with the existing query in an OR statement along with a query statement appropriate to the include revoked or include expired selection. Users with global read permissions for collections will see both the existing collection query in the Content field and the OR statement. Users with collection-level only permissions will see just the OR statement. For example, if a limited user with collection-level only permissions was working with the collection shown in Figure 65: Save a Collection as a Limited Permissions User, the original query would be:
CN -startswith "appsrvr" AND CN -contains "keyexample.com" AND IssuerDN -contains "CorpIssuingCA"If the user checked the Include Expired box and then clicked Save or Save As, the Content field in the Save Collection dialog would read:
OR ( (CN -startswith "appsrvr" AND CN -contains "keyexample.com" AND IssuerDN -contains "CorpIssuingCA") AND ExpirationDate -le "%TODAY%" )The user could append any query changes to the beginning of the line or the end of the line or leave it as is. The resulting query without modifications would be:
CN -startswith "appsrvr" AND CN -contains "keyexample.com" AND IssuerDN -contains "CorpIssuingCA" OR ( (CN -startswith "appsrvr" AND CN -contains "keyexample.com" AND IssuerDN -contains "CorpIssuingCA") AND ExpirationDate -le "%TODAY%" )The OR statement with both the original query and the original query in an AND statement with ExpirationDate -le %TODAY% is required to include both certificates expiring in the future (the first part of the statement) and certificates expiring today or in the past (the second part of the statement).
- The Ignore Renewed Cert Results by setting.
- The Show on Dashboard setting.
- The Show on Navigator setting.
The Save and Save As functions are very similar. The Save As function requires that you give the collection a new name to differentiate it from the original collection. Using the Save option, you can also give the collection a different name, which will then save the new collection under this new name and differentiate it from the original collection.
For more information on the Save and Save As options, see Saving Search Criteria as a Collection.
Click Delete Collection to delete the certificate collection. Click Permissions to view collection level permission for the collection (see Certificate Collection Permissions).