Certificate Search Page

The available fields for querying vary depending on the area of the Management Portal in which the search is used. On this page, the queries can be done on the following built-in fields:

AltKeySize

Complete or partial matches with the alternative certificate key size The key size or key length is the number of bits in a key used by a cryptographic algorithm..

Close

AltKeyType

The referenced alternative certificate key type The key type identifies the type of key to create when creating a symmetric or asymmetric key. It references the signing algorithm and often key size (e.g. AES-256, RSA-2048, Ed25519).. Supported types are:

• Unknown

• ML-DSA-44

• ML-DSA-65

• ML-DSA-87

Close

AltPublicKey

Exact matches with the certificate alternative public key In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. in hexadecimal or base64 format.

Close

AltSigningAlgorithm

Complete or partial matches with the certificate alternative signing algorithm.

Close

ArchivedKey

The certificate’s archived key has been encrypted and saved to the Keyfactor Command database (true/false).

Close

CA

Complete or partial matches with the certificate issuing CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. logical name The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two)..

Close

CertId

Numeric matches with the Keyfactor Command reference ID for the certificate.

Close

CertificateRenewed

Certificate has already been renewed (true) or has not yet been renewed and can potentially be renewed (false).

Close

CertState

The certificate state:

• Unknown (0)—This certificate entered the system in a manner other than a CA synchronization, so no status from a CA has been reported.
• Active (1)—The normal state for certificates brought in via CA synchronization. The certificate has not been revoked.
• Revoked (2)—The certificate has been revoked either within or outside Keyfactor Command.
• Failed (4)—The certificate has been denied approval at the CA level.
• Pending (5)—The certificate is awaiting approval at the CA level.
• Certificate Authority A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. (6)—The certificate synchronized in from a CA synchronization that is indicated to be that CA's own certificate. This state applies to Microsoft CAs only.
• Parent Certificate Authority (7)—The certificate synchronized in from a CA synchronzation that is indicated to be the certificate of a CA further up the chain. This state applies to Microsoft CAs only.
• Waiting for External Validation (8)—The certificate is pending, awaiting approval outside of Keyfactor Command. Generally, the certificate would have been added through one of the Keyfactor Command CA gateways using an EV certificate type.

Close

CertStoreContainer

Certificate is in a certificate store that is included in the container criteria indicated.

Close

CertStoreFQDN

Complete or partial matches with the fully qualified domain name of the computer hosting one or more certificate stores.

This field has an alias of JavaKeystoreFQDN that may be used when querying the field from the Keyfactor API An API is a set of functions to allow creation of applications. Keyfactor offers the Keyfactor API, which allows third-party software to integrate with the advanced certificate enrollment and management features of Keyfactor Command..

Close

CertStorePath

Complete or partial matches on the full path to a certificate store—e.g. /opt/application/mystore.jks or c:\program files\application\mystore.jks.

This field has an alias of JavaKeystorePath that may be used when querying the field from the Keyfactor API.

Close

CN

Complete or partial matches with the certificate common name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com)..

This field has an alias of IssuedCN that may be used when querying the field from the Keyfactor API.

Close

DN

Complete or partial matches with the certificate distinguished name.

This field has an alias of IssuedDN that may be used when querying the field from the Keyfactor API.

Close

EKU

Complete or partial matches with the extended key usage OID Object identifiers or OIDs are a standardized system for identifying any object, concept, or "thing" with a globally unambiguous persistent name.. For example, the EKU OID for Server Authentication is 1.3.6.1.5.5.7.3.1 and the EKU OID for Client Authentication is 1.3.6.1.5.5.7.3.2. A search for EKU -eq 1.3.6.1.5.5.7.3.1 will return both certificates that have Server Authentication as the only EKU and certificates that have Server Authentication along with one or more other EKUs.

Close

EKUName

Complete or partial matches with the extended key usage Name (e.g. Server Authentication).

Close

ExpirationDate

Certificate expiration before, after, or on a specified date. Supports the %TODAY% token (see Advanced Searches). Be sure to check the Include Expired checkbox to view expired certificates.

This field has an alias of NotAfter that may be used when querying the field from the Keyfactor API.

Close

HasAltPrivateKey

Certificate alternative private key Private keys are used in cryptography (symmetric and asymmetric) to encrypt or sign content. In asymmetric cryptography, they are used together in a key pair with a public key. The private or secret key is retained by the key's creator, making it highly secure. encrypted and stored in the Keyfactor Command database (true/false).

Close

HasPrivateKey

Certificate private key encrypted and stored in the Keyfactor Command database (true/false).

Close

ImportDate

The certificate imported to Keyfactor Command before, after, or on a specified date.

Close

IsHybridCertificate

Certificate has an alternative key pair In asymmetric cryptography, public keys are used together in a key pair with a private key. The private key is retained by the key's creator while the public key is widely distributed to any user or target needing to interact with the holder of the private key. (true/false).

Close

IssuedDate

Certificate issuance before, after, or on a specified date. Supports the %TODAY% token (see Advanced Searches).

This field has aliases of NotBefore and EffectiveDate that may be used when querying the field from the Keyfactor API.

Close

IssuerDN

Complete or partial matches with the certificate issuer’s distinguished name.

Close

KeyfactorRequestId

Numeric matches with the Keyfactor Command reference ID for the certificate request.

Close

KeySize

Complete or partial matches with the certificate key size.

This field has an alias of KeySizeInBits that may be used when querying the field from the Keyfactor API.

Close

KeyType

The referenced certificate key type. Supported types are:

• Unknown

• RSA

• DSA

• ECC Elliptical curve cryptography (ECC) is a public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys. ECC generates keys through the properties of the elliptic curve equation instead of the traditional method of generation as the product of very large prime numbers.

• DH

• Ed448

• Ed25519

• ML-DSA-44 (Dilithium-2)

• ML-DSA-65 (Dilithium-3)

• ML-DSA-87 (Dilithium-5)

Close

KeyUsage

Certificate includes or doesn't include (or is null or not null for) the referenced key usage. Supported key usages are:

• CRLSign

• DataEncipherment

• DecipherOnly

• DigitalSignature

• EncipherOnly

• KeyAgreement

• KeyCertSign

• KeyEncipherment

• NonRepudiation

Close

NetBIOSPrincipal

Complete or partial matches with the certificate principal name in NetBIOS format (DOMAIN\username). Supports the %ME% token (see Advanced Searches).

This field has an alias of PrincipalName that may be used when querying the field from the Keyfactor API.

Close

NetBIOSRequester

Complete or partial matches with the certificate requester’s name in NetBIOS format (DOMAIN\username). Supports the %ME% token (see Advanced Searches).

This field has an alias of RequesterName that may be used when querying the field from the Keyfactor API.

Close

OU

Complete or partial matches with the certificate organizational unit.

Close

OwnerRoleName

Complete matches with one or more certificate owners (security roles) for the certificate(s). Multiple certificate owners should be separated by commas. Multiple values are only supported with the -in and -notin operators. For example:

OwnerRoleName -in "Read Only,Power Users"

Supports the %ROLES% token (see Advanced Searches).

Close

PublicKey

Exact matches with the certificate public key in hexadecimal or base64 format.

Close

RevocationDate

Certificate revocation before, after, or on a specified date, or is null or not null. Be sure to check the Include Revoked checkbox to view revoked certificates. Supports the %TODAY% token (see Advanced Searches).

This field has an alias of RevocationEffDate that may be used when querying the field from the Keyfactor API.

Close

Revoker

Complete or partial matches with the name of the user (DOMAIN\username format) who revoked the certificate. Be sure to check the Include Revoked checkbox to view revoked certificates.

Close

RFC2818Compliant

Certificate is compliant with RFC 2818 (contains a DNS The Domain Name System is a service that translates names into IP addresses. SAN The subject alternative name (SAN) is an extension to the X.509 specification that allows you to specify additional values when enrolling for a digital certificate. A variety of SAN formats are supported, with DNS name being the most common.) and has an EKU of Server Authentication (true/false).

Close

SelfSigned

Certificate is self-signed (true/false).

Close

SerialNumber

Complete, or starts/ends with, or null/not null matches with the certificate serial number.

Close

SigningAlgorithm

Complete or partial matches with the certificate signing algorithm.

Close

SSLDNSName

Complete or partial matches with the DNS name resolved for an SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. endpoint An endpoint is a URL that enables the API to gain access to resources on a server..

Close

SSLIPAddress

Complete, or starts/ends with, or null/not null matches with the IP address defined for an SSL endpoint.

This field has an alias of SslHostName that may be used when querying the field from the Keyfactor API.

Close

SSLNetworkName

Complete, or starts/ends with, or null/not null matches with the network name under which an SSL endpoint was found.

Close

SSLPort

Complete or partial numeric matches with the port number defined for an SSL endpoint.

Close

SAN

Complete or partial matches with the certificate subject alternate name(s).

Close

TemplateDisplayName

Complete or partial matches with the certificate template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. display name.

This field has an alias of TemplateName that may be used when querying the field from the Keyfactor API.

Close

TemplateShortName

Complete or partial matches with the certificate template name.

Close

Thumbprint

Complete or partial matches with the certificate thumbprint value.

Close

You can also do queries based on user-defined metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. fields (see Certificate Metadata).

The query comparison operators vary depending on the type of field selected and the specific properties of the field. The list below shows the dropdown list comparison operators, as well as the equivalent query language syntax (in parentheses).

Most string fields (the vast majority of the built-in fields) support:

Most date and integer fields support:

Most Boolean (true/false) fields support:

The value you enter for comparison must match the field type. For example, integer fields only support numerical values. String fields support all alphanumeric characters. Boolean fields only support True or False. The value field is not case sensitive. Date fields support only properly formatted dates and will initially display as mm/dd/yyyy. You can choose to populate the date field by:

• Clicking in a date Value field to open a pop-up calendar to select a date that will populate the field.
• Clicking in a segment of the date format (i.e., mm/dd/yyyy) and entering a value. As you continue to type in any one segment, the cursor will keep moving onto the next segment.

On any search page you can click Advanced to the right of the Search button to display the advanced search options. Click Simple to close the advanced search options again.

Multiple Criteria

Using the advanced search options, you can build a query based on multiple criteria using AND/OR logic. As with a simple search, you select a field and comparison operator in the drop-downs and then enter a comparison value, if applicable. Click Insert to add the search criteria to the query field below the selection fields. Use the selection fields to build multiple search criteria. Each time you click the insert button, an AND is added between the previous search criteria and the newly added one. You can change the AND to an OR if desired. You can use parentheses around portions of the query along with AND/OR to change the query meaning.

For example, for certificate searches:

This query will return all the certificates issued on or after January 1, 2022 with the string appsrvr in the CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). and also all certificates issued at any time with the string appsrvr in the CN using a template referencing web. When you have entered all the desired search criteria, click Search to execute the query. If you wish to clear the query field and start over, click the Clear button.

Note:  Multiple OR queries can be slow due to the nature of the query not being indexed and potentially requiring multiple queries of the database. To mitigate this, Keyfactor suggests you create a collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). for the subset of certificates, using the OR statement as needed, then perform a search starting with that collection and adding any additional conditions using advanced search from the search page. See Saving Search Criteria as a Collection.

In addition to the options available in the query builder, several special values can be used in selected searches by typing them in directly:

%TODAY%

Use the TODAY special value in place of a specific date in date queries. This option supports math operations, so you can use TODAY-10 or TODAY+30. The built-in Certificates Expiring in 7 Days collection uses this special value (see Certificate Collection Management).

Example:  Create a certificate search of IssuedDate -ge "%TODAY-7%" and save it as a collection called Certificates Issued in the Last Week. Create another certificate search of ExpirationDate -lt "%TODAY+60%" and save it as a collection called Certificates Expiring in the Next 60 Days. This allows you to have saved collections containing a comparison date without having to update the date in the collection.

%ME%

Use the ME special value in place of a specific domain\user name in queries that match a domain\user name. The built-in My Certificates collection uses this special value (see Certificate Collection Management).

Example:  Create a certificate search of NetBIOSRequester -contains "%ME%" and save it as a collection. Multiple users can now use this same collection to search for all the certificates on which they were the requester in the current domain.

Note:  Certificate collections saved using the %ME% value are not supported for use in reports or on the dashboard.

%ME-AN%

Use the ME-AN special value in place of a specific user name excluding the domain. This is beneficial in environments with multiple domains where there is a desire to query for a user's certificates even if they were requested across multiple domains.

Example:  Create a certificate search of NetBIOSRequester -contains "%ME-AN%" and save it as a collection. Multiple users can now use this same collection to search for all the certificates on which they were the requester, regardless of domain.

Note:  Certificate collections saved using the %ME-AN% value are not supported for use in reports or on the dashboard.

%ROLES%

Use the ROLES special value in place of a specific security role in Owner Role Name queries to return all the certificates that are either marked as owned by a role of which the querying user is a member or not marked as owned by a role of which the querying user is a member. This option can be used only with the -in and -notin operators.

Example:  Create a certificate search of OwnerRoleName -in "%ROLES%" and save it as a collection called Certificates Owned by My Roles. Multiple users can now use this same collection to view all the certificates in their owner group and take actions on them as applicable. Each user potentially sees a subset of all the certificates in the collection. Let’s say you have security roles Alpha, Beta, and Gamma and users assigned to security role Alpha should only see certificates of a certain type, users assigned to security role Beta should only see certificates of a different type, and users assigned to security role Gamma should only see certificates of a third type. You could create three different certificate collections, each containing only the certificates that the users in Alpha, Beta, and Gamma should see, respectively, and grant certificate collection permissions on these so that only the Alpha users had access to the alpha collection and so forth. But, with the %ROLES% token, you can create a single collection that contains the certificates that all three groups of users should be able to see plus the OwnerRoleName -in "%ROLES%" search string, assign certificate ownership on the certificates appropriately so that the Alpha users own the certificates they should see and so forth, and when an Alpha user opens the collection, he sees only the certificates he should see while when a Beta user opens the collection, he sees different certificates—the certificates he should see.

Note:  Certificate collections saved using the %ROLES% value are not supported for use in reports or on the dashboard.

Note:  If the user’s roles have changed, it may take a few minutes for the query to update to reflect the user’s new role membership.

To build a deep link with your search criteria, begin with the following URL (where KEYFACTOR_SERVER_FQDN is the FQDN of your Keyfactor Command administration server):

Your Management Portal may have been configured to use HTTP rather than HTTPS.

Replace YOUR_URL_ENCODED_QUERY with your search criteria as built using the advanced search. The search criteria needs to be URL encoded, so, for example, spaces need to be replaced with %20 and quotation marks with %22. However, many modern browsers will automatically do this for you. A deep link using part of the example search shown above would look something like this without URL encoding:

And with URL encoding, like this: