Certificate Manager overview
With Tanium Certificate Manager, you can gain complete visibility into the digital certificates across your Windows, macOS, and Linux endpoints.
With weak encryption and expired certificates, endpoint communications are at risk of interception critical business service outages. You can use Certificate Manager to find and alert on expired or expiring certificates and for visibility into certificate encryption strength.
Certificate Manager provides dashboards, reports, sensors, and packages that you can use to:
- Find expired or expiring certificates
- Identify weak cryptographic algorithms and key lengths
- View self-signed and unauthorized CA certificates
- Inventory TLS ciphers for listening services
- Send reports with certificate details using Tanium™ Connect
Certificate Manager dashboard
The Certificate Manager dashboard in Tanium™ Reporting includes the Overview, Listening SSL/TLS Services Certificate and Cipher Inventory, and All Certificates sections, with the following chart panels:
- Overview
- Total Certificates Inventoried
- Total Endpoints Inventoried
- Total Service Certificates Inventoried
- Total Root Certificates Inventoried
- Certificate Manager Coverage
- Listening SSL/TLS Services Certificate and Cipher Inventory
- Listening Service Certificates Expiring in 30 Days
- Listening Service Short Keys
- Listening Service Signature Hash Algorithms
- Listening Services with Wildcard Certificates
- Listening Service Certificate Authorized CA Status
- Certificate Expiration on Listening Services
- Lowest Cipher Strength by Listening Service Port
- Number of Ciphers by Listening Service Port
- Cipher Inventory by Cipher Suite Strength
- All Certificates
- Expired Certificates
- Wildcard Certificates
- Weak Signature Hash Algorithms
- Total Short Keys
- Expiring within 30 Days
- Certificate Expiration
- Certificate Sources
- Certificate Issuers
For more information, see View the Certificate Manager dashboard in Tanium Reporting.
Certificate Manager reports
The following Certificate Manager reports are available in Tanium Reporting:
- Certificate Manager - Certificate Details
- Certificate Manager - Certificates Expiring within 30 Days
- Certificate Manager - Cipher Inventory
- Certificate Manager - Cipher Suite Strength
- Certificate Manager - Coverage Status Details
- Certificate Manager - Expired Certificates
- Certificate Manager - Listening Service Certificate Details
- Certificate Manager - Listening Service Certificates Expiring within 30 Days
- Certificate Manager - Listening Service Cipher Suite Strength
- Certificate Manager - Listening Service Short Keys
- Certificate Manager - Listening Service SSL Certificate Details
- Certificate Manager - Listening Service Weak Signatures
- Certificate Manager - Listening Service Wildcard Certificates
- Certificate Manager - Minimum Cipher Suite Strength by Port
- Certificate Manager - Root Certificate Details
- Certificate Manager - Short Keys
- Certificate Manager - SSL Certificate Details
- Certificate Manager - Weak Signatures
- Certificate Manager - Wildcard Certificates
For more information, see Managing certificates.
Certificate Manager packages
Certificate Manager provides the following packages that you can deploy to gather certificate data from your endpoints:
- Certificate Audit [Non-Windows]
- Certificate Audit [Windows]
- Certificate Audit Add Port Exclusions [Non-Windows]
- Certificate Audit Add Port Exclusions [Windows]
- Certificate Audit Delete Port Exclusions [Non-Windows]
- Certificate Audit Delete Port Exclusions [Windows]
For more information, see Deploying certificate audits.
Certificate sources
A certificate source is where Certificate Manager finds the certificates on the endpoint. The Certificate Sources chart panel in the Certificate Manager dashboard in Tanium Reporting shows the top 10 certificate locations.
The following table describes where and how Certificate Manager finds certificates on each of the supported OS platforms.
Certificate discovery method | Platforms | Locations | Unique capabilities | Customization |
---|---|---|---|---|
Listen ports* |
|
All ports except for 17472 |
|
|
File | Linux |
|
None | exceptions.csv in Certificate Audit packages |
Windows Certificate Store | Windows | User Store for signed-in users | None | exceptions.csv in Certificate Audit packages |
* Only one certificate is audited for each port. |
Certificate Details sensor
The Certificate Details sensor includes the following columns:
Column name | Description |
---|---|
Source | Certificate sources of the certificate that is captured by the Certificate Audit action |
Location | Specific location of the certificate within the certificate source |
Subject | Full subject of the captured certificate |
Issuer | Certificate issuing authority |
Not Before | Start date of the certificate validity |
Not After | Expiration date of the certificate |
Expiration Status | Length of time until the certificate expires |
Public Key Algorithm | Type of public key algorithm that the certificate uses |
Public Key Bit Size | Public key length of the certificate |
Signature Algorithm | Type of signature algorithm that the certificate uses |
Signature Hash Algorithm | Signature hashing algorithm strength of the certificate |
Integration with other Tanium products
Certificate Manager integrates with Tanium Reporting to provide reporting of related data.
Reporting
View Certificate Manager reports and dashboards in Tanium Reporting. For more information, see Tanium Reporting User Guide: Reporting Overview.
You can also use the Tanium Reporting (Source Data) source in Tanium Connect to send Certificate Manager data to multiple destinations. For more information, see Email a report of expiring certificates with Tanium Connect.
Last updated: 3/14/2023 1:24 PM | Feedback