Expiration Report by Days

The Expiration Report by Days shows details for certificates, including renewal information, expiring after a given evaluation date with a time span chosen in days. It can be used, for example, to show you all the certificates in a certificate collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). expiring within the next few days.

The Expiration Report includes a table showing detailed information for certificates expiring in the time frames identified by the parameters evaluation date and number of days. The number of days parameter A parameter or argument is a value that is passed into a function in an application. value must be between 0 and 100.

The export options for the Expiration Report by Days are CSV and Excel.

The report tables include these fields:

CN A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com). (Common Name A common name (CN) is the component of a distinguished name (DN) that represents the primary name of the object. The value varies depending on the type of object. For a user object, this would be the user's name (e.g. CN=John Smith). For SSL certificates, the CN is typically the fully qualified domain name (FQDN) of the host where the SSL certificate will reside (e.g. servername.keyexample.com or www.keyexample.com).)
Template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received.
Issued On
Expires On (this is the default sort order)
Requested By
Latest Thumbprint: This column is can be drilled down into the certificate search page that shows the certificate with the matching thumbprint that can be renewed.

Thumbprint
Serial (Number)
Issuer (Distinguished Name)
Metadata Metadata provides information about a piece of data. It is used to summarize basic information about data, which can make working with the data easier. In Keyfactor Command, the certificate metadata feature allows you to create custom metadata fields that allow you to tag certificates with tracking information about certificates. (optional)
Renewed On (UTC)

Column handling on this report grid has the following features:

To change the width of a column of the report, hover over the triangle of dots on the right side of the selected column header (). Click, hold and drag the triangle to change the width of the column.
To rearrange columns on the report display, hover over the rectangle of dots on the left side of the selected column header (). Click, hold, and drag the rectangle to move the column to your selected location.
Most columns can be sorted in ascending order by clicking on the header of the column. Click the column header again to reverse the sort order.

The input parameters for this report are:

Certificate Collection: Select the certificate collection using the search select list, which includes the built-in option, All Certificates collection. To narrow the list of results in the search select field, begin typing a search string in the search field.
The evaluation date for the reporting period. This indicates the starting date for the evaluation period. The default is the current date.
The number of days in the reporting period (must be between 0 and 100). The default is 6.
A checkbox to include or exclude revoked certificates in report output.
A checkbox to include or exclude expired certificates in report output.
The metadata field(s) to include, if desired.

Tip: If you Save a new certificate collection, or Save a change to an existing certificate collection, that change will be immediately reflected in the collection data used to display certificate collections on dashboards and reports. The data used by the dashboards and reports is stored in an intermediate table that is updated immediately. It will also continue to be updated periodically (approximately every 20 minutes by default as configured by the Dashboard Collection Caching Interval application setting) by the Keyfactor Command Service (see Application Settings: Console Tab).

Tip: This report makes use of the optional certificate de-duplication logic by default. When de-duplication is enabled for a report, the report results will include only the most recently issued certificate if there is more than one certificate that matches the de-duplication criteria. De-duplication is enabled for a report by checking the Ignore Renewed Certificates box on the Details tab of the report configuration (see Report Manager Operations). De-duplication can only be enabled for reports that use certificate collections—the Uses Collection box on the Details tab. The Uses Collection setting is not user-configurable.

De-duping is configured on a certificate collection by setting the Ignore renewed certificate results by option when saving a certificate collection (see Saving Search Criteria as a Collection). Certificate collections may be configured to be de-duplicated based on the certificate common name, distinguished name, or principal name (or not at all). Only certificates that share all the EKUs (e.g. Client Authentication and Server Authentication) as well as the same CN, DN A distinguished name (DN) is the name that uniquely identifies an object in a directory. In the context of Keyfactor Command, this directory is generally Active Directory. A DN is made up of attribute=value pairs, separated by commas. Any of the attributes defined in the directory schema can be used to make up a DN. or UPN will be eliminated as duplicates. If a certificate has more than one EKU and at least one EKU does not match an otherwise similar certificate with matching CN, DN or UPN, it will not be eliminated.

For example, if the de-duplication logic was set to DN and the report would include these two certificates:

Certificate one:

DN: CN=appsrvr14.keyexample.com,OU=IT,O=Key Example, Inc.,L=Chicago,ST=IL,C=US
EKUs: Server Authentication
Issued Date: December 1, 2022
Expiration Date: January 1, 2024

Certificate two:

DN: CN=appsrvr14.keyexample.com,OU=IT,O=Key Example, Inc.,L=Chicago,ST=IL,C=US
EKUs: Server Authentication
Issued Date: December 15, 2022
Expiration Date: December 14, 2023

The de-duplication logic would be triggered because the DNs and EKUs match. The report would include certificate two and leave out certificate one. Notice that certificate two is retained even through certificate one expires after certificate two. This is because certificate two was issued after certificate one.

Now imagine that the de-duplication logic is set to CN and the report would include these two certificates:

Certificate one:

DN: CN=appsrvr14.keyexample.com,OU=IT,O=Key Example, Inc.,L=Chicago,ST=IL,C=US
EKUs: Server Authentication
Issued Date: December 1, 2022
Expiration Date: January 1, 2024

Certificate two:

DN: CN=appsrvr14.keyexample.com,OU=HR,O=Key Example, Inc.,L=Chicago,ST=IL,C=US
EKUs: Server Authentication, Client Authentication
Issued Date: December 15, 2022
Expiration Date: December 14, 2023

Although the DNs for these certificates do not match, the CNs still do, so this matches the de-duplication logic of CN. However, the EKUs for these two certificates do not match, since only one of them includes Client Authentication. In this case, both certificates would appear on the report.

Note: This report is limited to a maximum of 10,000 expiring certificates on which to report. Selecting a certificate collection containing more expiring certificates than this, within the selected reporting period, will result in an error. Selecting a certificate collection containing a large number of certificates to report on can cause the report to take a long time to generate.

Was this page helpful? Provide Feedback

Version v25.1.1

On this page: