I replaced an expired certificate with a new one. Will they both be listed? |
|
Just go to VM/VMDR > Assets > Certificates. We'll show you the certificates installed on the hosts in your environment through an easy to search inventory.
Certificates stored in Vulnerability Management are intended to be an inventory of all certificates found from QID 86002 and can be manually removed from the inventory if no longer active or relevant. Through a vulnerability report, using QID 86002, you can get only those certificates that are currently detected. To get an active list of all certificates, just run a CertView scan. Please contact your Technical Account Manager if you do not see CertView module enabled.
The New Data Security Model must be enabled for the subscription in order for you to see certificates for your hosts. A Manager can enable the New Data Security Model by going to Users > Setup > Security.
We’ll automatically find certificates on ports/services when you run full port scans. Enable the Additional Certificate Detection option in your option profile (along with authentication) to also find certificates in locations like Apache, Tomcat, Java KeyStore and Windows IIS. Note - You'll need to run new vulnerability scans after making changes to your option profile.
Choose Certificate Info from the Quick Actions menu for any certificate in the list. If found on a port, we'll show the port/service in the Hosts section. Otherwise, we'll show the location in the Certificate Details section. Tip - A certificate may be found on a port, on a location or both.
You may not see certificates for these reasons: 1) you haven't run any vulnerability scans using version 7.12 or later, 2) you did run scans but you did not include SSL certificate QIDs, 3) your scan results have not yet been processed, and 4) no certificates were found for your scanned hosts.
Use Heartbleed filters to find hosts affected by the Heartbleed bug. Select Heartbleed-All to see all affected hosts (active and fixed). Select Heartbleed-Active to see only hosts that are currently vulnerable. Learn more
We'll show you the number of hosts in your account that have been scanned for certificates and how many of those hosts have certificates. The number of hosts without certificates includes hosts that have not been scanned for certificates and hosts that have been scanned but certificates were not detected.
Yes. You can have different certificates on different ports/services. Each unique certificate on the host is listed once. Select Certificate Info from the Quick Actions menu to see details about where each certificate was found.
Yes. You can filter the list to only show certificates for hosts with certain asset tags or hosts in a particular asset group. Make your selections from the options provided at the top-right corner of the Certificates dashboard. I don't see the Select Asset Tags filter
Yes. The same certificate could be found on different hosts or on different ports/locations on the same host. When found on different hosts, the certificate will be listed once for each host that has it. When found multiple times on the same host, each instance of the certificate will be listed.
Yes, both certificates will be listed because the new certificate will have a different fingerprint than the expired one. You can ignore the expired certificate by selecting Ignore from the Quick Actions menu. Please note that the certificate will be ignored for all hosts that have it.
Identify the certificate you want to delete and select Delete from the Quick Actions menu. The certificate will be deleted from all hosts that have it.
Note that we will only delete a certificate from the inventory for you in the case where you run an authoritative scan (you enable this option in the option profile) and the certificate which was previously found is no longer found.
If the same certificate is found in a subsequent scan, it will be added back to the inventory.
For each certificate you'll see one of these status values in the preview pane details: 1) Valid, 2) Invalid (Source is unknown), or 3) Invalid (Certificate expired).
When the SSL Labs Grade feature is enabled for your subscription, you’ll see a grade (A+, A, A-, B, C, D, E, F, T, M, NA) for each certificate on your certificates list. Grades are updated automatically each time new vulnerability scan results are processed for your hosts.
How to update the grade without a new scan
Qualys SSL Labs is a collection of documents, tools and thoughts related to SSL. It's an attempt to better understand how SSL is deployed, and an attempt to make it better. We invite you to visit Qualys SSL Labs where you can learn more about the technology that protects the Internet. The latest best practices document provides clear instructions to help you spend the minimum time possible to deploy secure web sites or web applications.