Certificate Manager overview

With Tanium Certificate Manager, you can gain complete visibility into the digital certificates across your Windows, macOS, and Linux endpoints.

With weak encryption and expired certificates, endpoint communications are at risk of interception critical business service outages. You can use Certificate Manager to find and alert on expired or expiring certificates and for visibility into certificate encryption strength.

Certificate Manager provides dashboards, reports, sensors, and packages that you can use to:

  • Find expired or expiring certificates
  • Identify weak cryptographic algorithms and key lengths
  • View self-signed and unauthorized CA certificates
  • Inventory TLS ciphers for listening services
  • Send reports with certificate details using Tanium™ Connect

Certificate Manager dashboard

The Certificate Manager dashboard in Tanium™ Reporting and the Certificate Manager Overview page includes the Overview, Listening SSL/TLS Services Certificate and Cipher Inventory, and All Certificates sections, with the following chart panels:

  • Overview
    • Total Certificates Inventoried
    • Total Endpoints Inventoried
    • Total Listening Service Certificates Inventoried
    • Total Root Certificates Inventoried
    • Certificate Manager Endpoint Coverage
  • Listening SSL/TLS Services Certificate and Cipher Inventory
    • Listening Service Certificates Expiring in 30 Days
    • Listening Service Short Keys
    • Listening Service Weak Signature Hash Algorithms
    • Listening Services with Wildcard Certificates
    • Listening Service Certificate Authorized CA Status
    • Certificate Expiration on Listening Services
    • Listening Services Accepting Unapproved Ciphers
    • Listening Services Accepting Unapproved Ciphers Over Time
    • Listening Service Cipher Inventory
  • All Certificates
    • Expired Certificates
    • Wildcard Certificates
    • Weak Signature Hash Algorithms
    • Total Short Keys
    • Expiring within 30 Days
    • Certificate Expiration
    • Certificate Sources
    • Certificate Issuers

For more information, see View the Certificate Manager dashboard in Tanium Reporting.

Certificate Manager reports

The following Certificate Manager reports are available in Tanium Reporting and the Certificate Manager Overview page:

  • Certificate Manager - Cipher Inventory
  • Certificate Manager - Current Coverage Status Details
  • Certificate Manager - Expired Certificates
  • Certificate Manager - Inventoried Certificates
  • Certificate Manager - Listening Service Certificate Details
  • Certificate Manager - Listening Service Certificates Expiring within 30 Days
  • Certificate Manager - Listening Service Cipher Suite Details
  • Certificate Manager - Listening Services Accepting Unapproved Ciphers
  • Certificate Manager - Listening Service Short Keys
  • Certificate Manager - Listening Service SSL Certificate Details
  • Certificate Manager - Listening Service Weak Signatures
  • Certificate Manager - Listening Service Wildcard Certificates
  • Certificate Manager - Root Certificate Details

For more information, see Managing certificates.

Certificate Manager packages

Certificate Manager provides the following packages that you can deploy to gather certificate data from your endpoints:

  • Certificate Audit [Non-Windows]
  • Certificate Audit [Windows]
  • Certificate Audit Add Port Exclusions [Non-Windows]
  • Certificate Audit Add Port Exclusions [Windows]
  • Certificate Audit Delete Port Exclusions [Non-Windows]
  • Certificate Audit Delete Port Exclusions [Windows]

For more information, see Deploying certificate audits.

Certificate sources

A certificate source is where Certificate Manager finds the certificates on the endpoint. The Certificate Sources chart panel in the Certificate Manager dashboard shows the top 10 certificate locations.

The following table describes where and how Certificate Manager finds certificates on each of the supported OS platforms.

Certificate discovery method Platforms Locations Unique capabilities Customization
Listen ports*
  • Windows

  • Linux

  • macOS

All ports except for the Tanium Client and Tanium Client API ports
  • Quantum Computer Vulnerable Ciphers

  • Authorized Certificate Authority (CA)

  • Cipher Strength

  • Owning Process

  • Certificate Audit Add Port Exclusions

  • Certificate Audit Delete Port Exclusions

File Linux
  • /etc/pki/*
  • /etc/ssl/*
None Exclusion List in Certificate Manager Settings
Windows Certificate Store Windows User Store for signed-in users None Exclusion List in Certificate Manager Settings
* Only one certificate is audited for each port.

Certificate Details sensor

The Certificate Details sensor includes the following columns:

Column name Description
Source Certificate sources of the certificate that is captured by the Certificate Audit action
Location Specific location of the certificate within the certificate source
Subject Full subject of the captured certificate
Issuer Certificate issuing authority
Not Before Start date of the certificate validity
Not After Expiration date of the certificate
Expiration Status Length of time until the certificate expires
Public Key Algorithm Type of public key algorithm that the certificate uses
Public Key Bit Size Public key length of the certificate
Signature Algorithm Type of signature algorithm that the certificate uses
Signature Hash Algorithm Signature hashing algorithm strength of the certificate
Subject Alternative Name Additional host names for the certificate
Common Name Common name of the certificate
Is Wildcard Boolean value that indicates whether the certificate common name includes a wildcard character (*)
SHA256 Thumbprint String of 64 hexadecimal digits that identifies the specific certificate in a certificate store
SHA1 Thumbprint String of 40 hexadecimal digits that identifies the specific certificate in a certificate store
MD5 Thumbprint String of 32 hexadecimal digits that identifies the specific certificate in a certificate store

Interoperability with other Tanium products

Certificate Manager works with Tanium Endpoint Configuration and Tanium Reporting to provide reporting of related data.

Endpoint Configuration

Enable approvals for endpoint configuration changes. For more information, see Tanium Endpoint Configuration User Guide.

Reporting

View the Certificate Manager dashboard and reports in Tanium Reporting. For more information, see Tanium Reporting User Guide: Reporting Overview.

You can also use the Tanium Reporting (Source Data) source in Tanium Connect to send Certificate Manager data to multiple destinations. For more information, see Email a report of expiring certificates with Tanium Connect.