Certificate Manager overview

With Tanium Certificate Manager, you can gain complete visibility into the digital certificates across your Windows, macOS, and Linux endpoints.

With weak encryption and expired certificates, endpoint communications are at risk of interception critical business service outages. You can use Certificate Manager to find and alert on expired or expiring certificates and for visibility into certificate encryption strength.

Certificate Manager provides dashboards, reports, sensors, and packages that you can use to:

  • Find expired or expiring certificates
  • Identify weak cryptographic algorithms and key lengths
  • View self-signed and unauthorized CA certificates
  • Inventory TLS ciphers for listening services
  • Send reports with certificate details using Tanium™ Connect

Certificate Manager dashboard

The Certificate Manager dashboard in Tanium™ Reporting includes the Overview, Listening SSL/TLS Services Certificate and Cipher Inventory, and All Certificates sections, with the following chart panels:

  • Overview
    • Total Certificates Inventoried
    • Total Endpoints Inventoried
    • Total Service Certificates Inventoried
    • Total Root Certificates Inventoried
    • Certificate Manager Coverage
  • Listening SSL/TLS Services Certificate and Cipher Inventory
    • Listening Service Certificates Expiring in 30 Days
    • Listening Service Short Keys
    • Listening Service Signature Hash Algorithms
    • Listening Services with Wildcard Certificates
    • Listening Service Certificate Authorized CA Status
    • Certificate Expiration on Listening Services
    • Lowest Cipher Strength by Listening Service Port
    • Number of Ciphers by Listening Service Port
    • Cipher Inventory by Cipher Suite Strength
  • All Certificates
    • Expired Certificates
    • Wildcard Certificates
    • Weak Signature Hash Algorithms
    • Total Short Keys
    • Expiring within 30 Days
    • Certificate Expiration
    • Certificate Sources
    • Certificate Issuers

For more information, see View the Certificate Manager dashboard in Tanium Reporting.

Certificate Manager reports

The following Certificate Manager reports are available in Tanium Reporting:

  • Certificate Manager - Certificate Details
  • Certificate Manager - Certificates Expiring within 30 Days
  • Certificate Manager - Cipher Inventory
  • Certificate Manager - Cipher Suite Strength
  • Certificate Manager - Coverage Status Details
  • Certificate Manager - Expired Certificates
  • Certificate Manager - Listening Service Certificate Details
  • Certificate Manager - Listening Service Certificates Expiring within 30 Days
  • Certificate Manager - Listening Service Cipher Suite Strength
  • Certificate Manager - Listening Service Short Keys
  • Certificate Manager - Listening Service SSL Certificate Details
  • Certificate Manager - Listening Service Weak Signatures
  • Certificate Manager - Listening Service Wildcard Certificates
  • Certificate Manager - Minimum Cipher Suite Strength by Port
  • Certificate Manager - Root Certificate Details
  • Certificate Manager - Short Keys
  • Certificate Manager - SSL Certificate Details
  • Certificate Manager - Weak Signatures
  • Certificate Manager - Wildcard Certificates

For more information, see Managing certificates.

Certificate Manager packages

Certificate Manager provides the following packages that you can deploy to gather certificate data from your endpoints:

  • Certificate Audit [Non-Windows]
  • Certificate Audit [Windows]
  • Certificate Audit Add Port Exclusions [Non-Windows]
  • Certificate Audit Add Port Exclusions [Windows]
  • Certificate Audit Delete Port Exclusions [Non-Windows]
  • Certificate Audit Delete Port Exclusions [Windows]

For more information, see Deploying certificate audits.

Certificate sources

A certificate source is where Certificate Manager finds the certificates on the endpoint. The Certificate Sources chart panel in the Certificate Manager dashboard in Tanium Reporting shows the top 10 certificate locations.

The following table describes where and how Certificate Manager finds certificates on each of the supported OS platforms.

Certificate discovery method Platforms Locations Unique capabilities Customization
Listen ports*

  • Windows

  • Linux

  • macOS

 All ports except for 17472

  • Quantum Computer Vulnerable Ciphers

  • Authorized Certificate Authority (CA)

  • Cipher Strength

  • Owning Process

  • Certificate Audit Add Port Exclusions

  • Certificate Audit Delete Port Exclusions
File Linux
  • /etc/pki/*
  • /etc/ssl/*
None exceptions.csv in Certificate Audit packages
Windows Certificate Store Windows User Store for signed-in users None exceptions.csv in Certificate Audit packages
* Only one certificate is audited for each port.

Certificate Details sensor

The Certificate Details sensor includes the following columns:

Column name Description
Source Certificate sources of the certificate that is captured by the Certificate Audit action
Location Specific location of the certificate within the certificate source
Subject Full subject of the captured certificate
Issuer Certificate issuing authority
Not Before Start date of the certificate validity
Not After Expiration date of the certificate
Expiration Status Length of time until the certificate expires
Public Key Algorithm Type of public key algorithm that the certificate uses
Public Key Bit Size Public key length of the certificate
Signature Algorithm Type of signature algorithm that the certificate uses
Signature Hash Algorithm Signature hashing algorithm strength of the certificate

Integration with other Tanium products

Certificate Manager integrates with Tanium Reporting to provide reporting of related data.

Reporting

View Certificate Manager reports and dashboards in Tanium Reporting. For more information, see Tanium Reporting User Guide: Reporting Overview.

You can also use the Tanium Reporting (Source Data) source in Tanium Connect to send Certificate Manager data to multiple destinations. For more information, see Email a report of expiring certificates with Tanium Connect.