Viewing an Existing Certificate Collection

To view an existing certificate collectionClosed The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports)., either browse to the Certificates dropdown on the Management Portal menu and select the desired collection from the dropdown (if the collection has Show in Navigator set as Yes), or browse to Certificates > Collection Management from the Management Portal and then select View, or double-click the row, from the Certificate Collection Management grid. When you select the collection for viewing, the search will begin immediately and the certificate search grid will open with the results from the collection. For information on using the certificate search grid, see Certificate Search Page.

Tip:  Most Certificate Operations are available from the right click menu for certificates in the collection view.

Figure 66: View Collection

View Certificate Collections Operations

Available operations when viewing a certificate collection include:

  • Save -Click Save to save an existing collection with a new name. You cannot overwrite an existing collection. You will receive an error if you enter a duplicate name.

    Figure 67: Save Duplicate Collection Error

  • Save As - Click Save As to create a new collection based on the existing collection (see Refining a Collection View). You can then edit the search criteria for the new collection without affecting the existing collection. You may change any of the collection settings.

    Tip:  The Save and Save As functions are very similar. The Save As function requires that you give the collection a new name to differentiate it from the original collection. Using the Save option, you can also give the collection a different name, which will then save the new collection under this new name and differentiate it from the original collection. See Saving Search Criteria as a Collection for more information on creating collections.

    Figure 68: Save Collection Dialog

  • Delete Collection - Select a row and click Delete to delete the certificate collection.

    Figure 69: Delete Collection Confirmation

  • Permissions - Select a row and click Permissions from the action menu to view collection level permission for the collection (see Certificate Collection Permissions for how to change collection permissions).

    Figure 70: Collection Permissions

Refining a Collection View
Note:  Certificate collections that are configured for Certificate Entered Collection or Certificate Left Collection workflows (see Workflow Definition Operations) cannot be edited. This is done to prevent triggering a large number of entered/left workflows.

When viewing an existing collection, you can further refine the collection query by including additional selection criteria in the query field, but these are used in addition to the base query.

You are not allowed to clear the base query for the collection, which is displayed above the advanced query field. For example, for the collection shown in Figure 71: Collection with Query Modification, if the user added this in the query field:

CN -notcontains "keyother"

The query would return all the certificates issued in the last 30 days with the string appsrvr in the CNClosed A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). using a templateClosed A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. referencing web but without the string keyother in the CN—in other words, the web server certificates for application servers issued in the last 30 days for the keyexample.com domain but not the web server certificates for application servers issued in the last 30 days for the keyother.com domain.

Note:  Users with global read permissions for collections will see the existing collection query in the Content field of the Save Collection dialog with either the Save or Save As option and may edit the existing collection query. Users with collection-level read permissions only (not global read) will not see the existing collection query in the Content field. These users will only be able to append to the existing collection query. Any query added to the Content field will be added with an AND clause together with the existing query. This is done to prevent users with collection-level read permissions from potentially widening the scope of the query and seeing certificates they aren’t supposed to see.

Figure 71: Collection with Query Modification

Figure 72: Save a Collection as a Limited Permissions User

If you select the Include Revoked or Include Expired check box before clicking Save or Save As, the Content field of the Save Collection dialog will be populated with the existing query in an OR statement along with a query statement appropriate to the include revoked or include expired selection. Users with global read permissions for collections will see both the existing collection query in the Content field and the OR statement. Users with collection-level only permissions will see just the OR statement. For example, if a limited user with collection-level only permissions was working with the collection shown in Figure 72: Save a Collection as a Limited Permissions User, the original query would be:

CN -startswith "appsrvr" AND CN -contains "keyexample.com" AND IssuerDN -contains "CorpIssuingCA"

If the user checked the Include Expired box and then clicked Save or Save As, the Content field in the Save Collection dialog would read:

OR ( (CN -startswith "appsrvr" AND CN -contains "keyexample.com" AND IssuerDN -contains "CorpIssuingCA") AND ExpirationDate -le "%TODAY%" )

The user could append any query changes to the beginning of the line or the end of the line or leave it as is. The resulting query without modifications would be:

CN -startswith "appsrvr" AND CN -contains "keyexample.com" AND IssuerDN -contains "CorpIssuingCA" OR ( (CN -startswith "appsrvr" AND CN -contains "keyexample.com" AND IssuerDN -contains "CorpIssuingCA") AND ExpirationDate -le "%TODAY%" )

The OR statement with both the original query and the original query in an AND statement with ExpirationDate -le %TODAY% is required to include both certificates expiring in the future (the first part of the statement) and certificates expiring today or in the past (the second part of the statement).

Tip:  If you Save a new certificate collection, or Save a change to an existing certificate collection, that change will be immediately reflected in the collection data used to display certificate collections on dashboards and reports. The data used by the dashboards and reports is stored in an intermediate table that is updated immediately. It will also continue to be updated periodically (approximately every 20 minutes by default as configured by the Dashboard Collection Caching Interval application setting) by the Keyfactor Command Service (see Application Settings: Console Tab).