Certificate Manager overview
With Tanium Certificate Manager, you can gain complete visibility into the digital certificates across your Windows, macOS, and Linux endpoints.
With weak encryption and expired certificates, endpoint communications are at risk of interception critical business service outages. You can use Certificate Manager to find and alert on expired or expiring certificates and for visibility into certificate encryption strength.
Certificate Manager provides dashboards, reports, sensors, and packages that you can use to:
- Find expired or expiring certificates
- Identify weak cryptographic algorithms and key lengths
- View self-signed and unauthorized CA certificates
- Inventory TLS ciphers for listening services
- Send reports with certificate details using Tanium™ Connect
Certificate Manager dashboard
The Certificate Manager dashboard in Tanium™ Reporting and the Certificate Manager Overview page includes the Overview, Listening SSL/TLS Services Certificate and Cipher Inventory, and All Certificates sections, with the following chart panels:
- Overview
- Total Certificates Inventoried
- Total Endpoints Inventoried
- Total Listening Service Certificates Inventoried
- Total Root Certificates Inventoried
- Certificate Manager Endpoint Coverage
- Listening SSL/TLS Services Certificate and Cipher Inventory
- Listening Service Certificates Expiring in 30 Days
- Listening Service Short Keys
- Listening Service Weak Signature Hash Algorithms
- Listening Services with Wildcard Certificates
- Listening Service Certificate Authorized CA Status
- Certificate Expiration on Listening Services
- Listening Services Accepting Unapproved Ciphers
- Listening Services Accepting Unapproved Ciphers Over Time
- Listening Service Cipher Inventory
- All Certificates
- Expired Certificates
- Wildcard Certificates
- Weak Signature Hash Algorithms
- Total Short Keys
- Expiring within 30 Days
- Certificate Expiration
- Certificate Sources
- Certificate Issuers
For more information, see View the Certificate Manager dashboard in Tanium Reporting.
Certificate Manager reports
The following Certificate Manager reports are available in Tanium Reporting and the Certificate Manager Overview page:
- Certificate Manager - Cipher Inventory
- Certificate Manager - Current Coverage Status Details
- Certificate Manager - Expired Certificates
- Certificate Manager - Inventoried Certificates
- Certificate Manager - Listening Service Certificate Details
- Certificate Manager - Listening Service Certificates Expiring within 30 Days
- Certificate Manager - Listening Service Cipher Suite Details
- Certificate Manager - Listening Services Accepting Unapproved Ciphers
- Certificate Manager - Listening Service Short Keys
- Certificate Manager - Listening Service SSL Certificate Details
- Certificate Manager - Listening Service Weak Signatures
- Certificate Manager - Listening Service Wildcard Certificates
- Certificate Manager - Root Certificate Details
For more information, see Managing certificates.
Certificate Manager packages
Certificate Manager provides the following packages that you can deploy to gather certificate data from your endpoints:
- Certificate Audit [Non-Windows]
- Certificate Audit [Windows]
- Certificate Audit Add Port Exclusions [Non-Windows]
- Certificate Audit Add Port Exclusions [Windows]
- Certificate Audit Delete Port Exclusions [Non-Windows]
- Certificate Audit Delete Port Exclusions [Windows]
For more information, see Deploying certificate audits.
Certificate sources
A certificate source is where Certificate Manager finds the certificates on the endpoint. The Certificate Sources chart panel in the Certificate Manager dashboard shows the top 10 certificate locations.
The following table describes where and how Certificate Manager finds certificates on each of the supported OS platforms.
Certificate discovery method | Platforms | Locations | Unique capabilities | Customization |
---|---|---|---|---|
Listen ports* |
|
All ports except for the Tanium Client and Tanium Client API ports |
|
|
File | Linux |
|
None | Exclusion List in Certificate Manager Settings |
Windows Certificate Store | Windows | User Store for signed-in users | None | Exclusion List in Certificate Manager Settings |
* Only one certificate is audited for each port. |
Certificate Details sensor
The Certificate Details sensor includes the following columns:
Column name | Description |
---|---|
Source | Certificate sources of the certificate that is captured by the Certificate Audit action |
Location | Specific location of the certificate within the certificate source |
Subject | Full subject of the captured certificate |
Issuer | Certificate issuing authority |
Not Before | Start date of the certificate validity |
Not After | Expiration date of the certificate |
Expiration Status | Length of time until the certificate expires |
Public Key Algorithm | Type of public key algorithm that the certificate uses |
Public Key Bit Size | Public key length of the certificate |
Signature Algorithm | Type of signature algorithm that the certificate uses |
Signature Hash Algorithm | Signature hashing algorithm strength of the certificate |
Subject Alternative Name | Additional host names for the certificate |
Common Name | Common name of the certificate |
Is Wildcard | Boolean value that indicates whether the certificate common name includes a wildcard character (*) |
SHA256 Thumbprint | String of 64 hexadecimal digits that identifies the specific certificate in a certificate store |
SHA1 Thumbprint | String of 40 hexadecimal digits that identifies the specific certificate in a certificate store |
MD5 Thumbprint | String of 32 hexadecimal digits that identifies the specific certificate in a certificate store |
Interoperability with other Tanium products
Certificate Manager works with Tanium Endpoint Configuration and Tanium Reporting to provide reporting of related data.
Endpoint Configuration
Enable approvals for endpoint configuration changes. For more information, see Tanium Endpoint Configuration User Guide.
Reporting
View the Certificate Manager dashboard and reports in Tanium Reporting. For more information, see Tanium Reporting User Guide: Reporting Overview.
You can also use the Tanium Reporting (Source Data) source in Tanium Connect to send Certificate Manager data to multiple destinations. For more information, see Email a report of expiring certificates with Tanium Connect.
Last updated: 9/26/2023 9:41 AM | Feedback