Certificate Reports

Once the certificates are discovered and managed/monitored in AppViewX, those certificates can be viewed as the reports in dashboards. For some of the reports, email notifications can be enabled as well provided with the other functionality as downloading the report/data.
Note: Default reports will contain data only if there is at least one relevant certificate present for that report in the inventory. Otherwise, it displays pop-up message as No Records Found.

SMTP Configuration

To get the certificate reports sent as a mail, we will have to first configure SMTP

  1. Log in to the AppViewX application with valid credentials.
  2. Click on the menu button.
    The left navigation pane is displayed.
  3. Click Settings.
    The Settings page is displayed.
  4. Expand the General menu and then click SMTP.
  5. Refer to the fields in the table below to update the information on the SMTP page.
Table 1. SMTP Page - Field Description Table
Name Type Description Error Message
* SMTP host Text The server that will send the email. Enter valid Hostname/ IP address <x.x.x.x>.
* SMTP port Text Port to connect to the email server.
  • Port can contain only numbers.
  • Enter a port number between 0-65535.
* From address Text Mail address from which mail is to be received by the user.
  • Please enter a valid email.
Enable SSL Toggle button To enable/disable SSL while sending mail. NA
Email box Toggle button Enabling this setting will use IMAP for the mailbox. NA
* Email Text Email for IMAP.

Mandatory if Email box is enabled.
  • Please enter a valid email.
Password Text Password for IMAP.

Mandatory if Email box is enabled.

 This field is mandatory.
* Hostname Text The hostname for IMAP.

Mandatory if Email box is enabled.
  • Enter valid Hostname/ IP address <x.x.x.x>.
Authentication required Toggle button To enable/disable Authentication required. NA
* Username Text The username if authentication required.

Mandatory if Authentication required is selected as true.

 NA
* Password Text Mandatory if Authentication required is selected as true. NA
* Send email to Text Test email to check if able to send mail after configuring the above settings.

Mandatory if you want to test.

 Enter a valid email.
Note: The asterisk (*) symbol indicates a mandatory field.

Troubleshooting SMTP

Error Message Possible Cause Possible Solution
Please provide a valid value. Anyone of the mandatory fields is invalid or is missing. Provide valid values for all mandatory fields.
E-Mail sending was unsuccessful.
  • If trying to test, no/valid email is not provided in the ‘send email to’ field.
  • Credentials and field values may be incorrect.
  • If trying to test, provide a valid email in the ‘send email to’ field.
  • All the credentials and fields should be correct.
Service unavailable. Try after some time. avx_subsystems or avx_platform_gateway is not running. Restart the plugin.

Fetch All Default Reports

All Reports will be present separately for each certificate category. To view Reports for certain certificate categories, follow the steps given below.
  1. Go to (Menu) > CERT+ > CERTIFICATE INVENTORY > Server or Client or Code Signing Certificate.
  2. In the top right corner, click Reports tab.
    The respective report page is displayed.

Working with the Job Scheduler

Report Routing

This functionality is applicable only to the following reports:
  • Validation report
  • Vulnerability report
  • CAA report
  1. Go to (Menu) > CERT+ > ADMINISTRATION > Report Settings > Routing or Code Signing.
    The Report Routing page is displayed.
  2. Enter the following fields:
    Table 2. Revocation Routing Page - Fields Description
    Fields Description
    General Information
    Default Data Center This is the default data center through which all validation requests are routed.
    Custom Settings
    URL Type the URL of the certificate for which you want to perform the revocation check.
    Data Center Select the data center of the URL from the dropdown list. Selecting this value will overwrite the default data center.
    Note: The asterisk (*) symbol indicates a mandatory field.
  3. Click Add.
    The table is refreshed with a row entry of the newly added URL and the data center.
  4. Click Save.
    • A message that certificate report settings routing is saved successfully is displayed.
    • On saving, any report validation such as validation checks or CAA record check is routed through the data center configured on this page.
    Note: To perform a bulk operation on certificate URLs, you can specify a wild card character with their domain name, for example, if you want to specify a data center to all the AppViewX certificates at one go, then use wild card character as in *.appviewx.com and select the data center from the dropdown list.
  5. Click Add.
  6. To edit the certificates, then use the Edit option.

Validation Settings

This is an extended feature of Report Routing.
  1. Go to (Menu) > CERT+ > CERTIFICATE INVENTORY > Server or Client or Code Signing.
  2. Click the Common Name link to view the certificate in the holistic view.
  3. Hover the mouse over the (More) icon of the application connector and click Edit.

    The Edit Application Connector page is displayed.

  4. Select Custom option.
  5. In the Validation Settings section, select the data center from the dropdown list.
    This ensures that for any validation check, this is treated as high priority.

Revocation Check Routing

This functionality is applicable to:
  • Revocation check job
  • On demand revocation check
  1. Go to (Menu) > CERT+ > ADMINISTRATION > Revocation Check > Routing .
    The Revocation Routing page is displayed.
  2. Enter the following fields:
    Table 3. Revocation Routing Page - Fields Description
    Fields Description
    General Information
    *Default Data Center This is the default data center through which all validation requests are routed.
    Custom Settings
    *URL Specify the URL for which you want to run the revocation check job or the on-demand revocation check by selecting the certificate from the holistic view.

    To run the revocation check job, copy and paste the URL from the CRL distribution points field of the Certificate details window.

    To run the on demand revocation check, copy and paste the URL with ocsp extension from the Authority information access field of the Certificate details window.

    Note: For on demand revocation checks, if you have configured two URLs with .crl and .ocsp extensions and for any reason the job fails on .ocsp, then the revocation check is triggered on the URL with .crl extension.

    If the job is successful and the certificate is revoked, then the certificate is displayed on the Certificate Inventory page with a black icon against it.

    If the job failed, then go to Administration > Logging > Certificate and check the log message.

    *Data Center Select the data center of the URL from the dropdown list. Selecting this value will overwrite the default data center.
    Note: The asterisk (*) symbol indicates a mandatory field.
  3. Click Add.
    The table is refreshed with the added URL and the data center.
  4. Click Save.
    • A message that certificate revocation check routing is saved successfully is displayed.
    • The table is refreshed with a row entry of the newly added URL and the data center.

Securing CERT+

CERT+ Certificate Lifecycle Management (CLM) offers capabilities to discover and manage certificates on devices and self-service certificate enrollment for users. CERT+ also acts as a Key Escrow for keys discovered and enrolled.

Typically, the private keys are stored by the devices handling SSL termination, and an SSL management tool retrieves them during certificate renewal. The tools and devices store them in their storage in the original format, which can be reused. If there is an attack on the device or tool storage, the private keys will be given away, which can be used to host an array of attacks.

AppViewX stores the private keys discovered in a secure part of the database, which is encrypted using the AES-256 algorithm. It encrypts each private key with independent keys and stores the encrypted independent keys in the database with a randomly generated key.

Thus, even if the hackers get the database, they will not be able to get the private keys. Only a maze of jumbled up characters will be visible to them, which does not make any sense and hence, rendering the attack useless.