Just go to VM/VMDR > Assets > Certificates. We'll show you the certificates installed on the hosts in your environment through an easy to search inventory.
Certificates stored in Vulnerability Management are intended to be an inventory of all certificates found from QID 86002 and can be manually removed from the inventory if no longer active or relevant. Through a vulnerability report, using QID 86002, you can get only those certificates that are currently detected. To get an active list of all certificates, just run a CertView scan. Please contact your Technical Account Manager if you do not see CertView module enabled.
The New Data Security Model must be enabled for the subscription in order for you to see certificates for your hosts. A Manager can enable the New Data Security Model by going to Users > Setup > Security.
We’ll automatically find certificates on ports/services when you run full port scans. Enable the Additional Certificate Detection option in your option profile (along with authentication) to also find certificates in locations like Apache, Tomcat, Java KeyStore and Windows IIS. Note - You'll need to run new vulnerability scans after making changes to your option profile.
Choose Certificate Info from the Quick Actions menu for any certificate in the list. If found on a port, we'll show the port/service in the Hosts section. Otherwise, we'll show the location in the Certificate Details section. Tip - A certificate may be found on a port, on a location or both.
You may not see certificates for these reasons: 1) you haven't run any vulnerability scans using version 7.12 or later, 2) you did run scans but you did not include SSL certificate QIDs, 3) your scan results have not yet been processed, and 4) no certificates were found for your scanned hosts.
Use Heartbleed filters to find hosts affected by the Heartbleed bug. Select Heartbleed-All to see all affected hosts (active and fixed). Select Heartbleed-Active to see only hosts that are currently vulnerable. Learn more
We'll show you the number of hosts in your account that have been scanned for certificates and how many of those hosts have certificates. The number of hosts without certificates includes hosts that have not been scanned for certificates and hosts that have been scanned but certificates were not detected.
Yes. You can have different certificates on different ports/services. Each unique certificate on the host is listed once. Select Certificate Info from the Quick Actions menu to see details about where each certificate was found.
Yes. You can filter the list to only show certificates for hosts with certain asset tags or hosts in a particular asset group. Make your selections from the options provided at the top-right corner of the Certificates dashboard. I don't see the Select Asset Tags filter
This means Asset Tagging is not enabled for your account. Please contact your account manager or support to get this feature enabled.
Yes. The same certificate could be found on different hosts or on different ports/locations on the same host. When found on different hosts, the certificate will be listed once for each host that has it. When found multiple times on the same host, each instance of the certificate will be listed.
Yes, both certificates will be listed because the new certificate will have a different fingerprint than the expired one. You can ignore the expired certificate by selecting Ignore from the Quick Actions menu. Please note that the certificate will be ignored for all hosts that have it.
Identify the certificate you want to delete and select Delete from the Quick Actions menu. The certificate will be deleted from all hosts that have it.
Note that we will only delete a certificate from the inventory for you in the case where you run an authoritative scan (you enable this option in the option profile) and the certificate which was previously found is no longer found.
If the same certificate is found in a subsequent scan, it will be added back to the inventory.
For each certificate you'll see one of these status values in the preview pane details: 1) Valid, 2) Invalid (Source is unknown), or 3) Invalid (Certificate expired).
When the SSL Labs Grade feature is enabled for your subscription, you’ll see a grade (A+, A, A-, B, C, D, E, F, T, M, NA) for each certificate on your certificates list. Grades are updated automatically each time new vulnerability scan results are processed for your hosts.
Not seeing a grade?
Be sure to run new vulnerability scans on your hosts in order for grades to be calculated. Your scans must be run using version 8.5 or later. Also, make sure the Grade column is shown by selecting it from the Tools menu above the list.
How are grades calculated?
We first look at the certificate to verify that it is valid and trusted. Then we inspect SSL configuration in three categories: 1) Protocol Support, 2) Key Exchange and 3) Cipher Strength. Each category is given a score and we combine these scores for an overall score of 0-100. (A zero in any category results in an overall score of zero.) The overall numerical score is translated into a letter grade (A-F) using a look-up table. Your A grade will be upgraded to A+ for exceptional configurations, and downgraded to A- when there are one or more warnings. Other grades you might see: T (certificate is not trusted), M (certificate name mismatch), and NA (not applicable, SSL server information not retrieved).
Want to learn more? Check out the SSL Server Rating Guide here: https://www.ssllabs.com/projects/rating-guide/index.html
How to update the grade without a new scan
Choose Certificate Info from the Quick Actions menu and then go to the Hosts tab. The grade is automatically calculated based on the most recent host scan data. Tip - You can also do this from Host Information. Click on the host's IP address in your certificates list and go to the Certificates tab to get a grade for each certificate on the host.
Click on the grade to view the SSL Grade Summary page with certificate information, plus the score and details for each category: 1) Protocol Support, 2) Key Exchange and 3) Cipher Strength. The Certificate score is either 0 (not trusted) or 100 (trusted). Note - The Certificate score is not used when calculating the overall grade.
How do I get this feature?
Please contact your Technical Account Manager or Support to have the SSL Labs Grade feature enabled for your subscription.
Qualys SSL Labs is a collection of documents, tools and thoughts related to SSL. It's an attempt to better understand how SSL is deployed, and an attempt to make it better. We invite you to visit Qualys SSL Labs where you can learn more about the technology that protects the Internet. The latest best practices document provides clear instructions to help you spend the minimum time possible to deploy secure web sites or web applications.