Managing the Certificate Inventory

Note: The CLM certificate inventory is updated periodically. If you are looking for real-time updates, please refer to the documentation for CLM Insights.
The certificate inventory allows you to take inventory of, and proactively manage all your certificates. This will be a single source of truth for all the certificates in the organization. Every certificate action can be performed from the inventory.
  • Take inventory of all your digital certificates
  • Keeps you informed of impending expirations
  • Creates certificate tasks via workflows to renew expiring certificates
  • Creates incidents for already expired certificates
  • Prioritizes certificate importance
  • Helps you proactively manage your certificates
  • Helps you avoid manually tracking a large volume of certificates
  • Prevents security breaches due to expired or expiring certificates

In the Certificate Inventory section, you can:

  • enroll a certificate
  • renew a certificate
  • push to device
  • reissue a certificate
  • revoke a certificate
  • regenerate a certificate
  • reinstate a certificate
  • revocation check
  • upload a certificate
  • download a certificate.
Note: Hybrid End Certificates issued from PKI are added to the Certificate Inventory with Status = Monitored by default. The following CLM actions are not supported for Hybrid (Composite) End Certificates:
  • Renew
  • Revoke
  • Suspend
  • Reinstate
  • Regenerate
  • Re-enroll

Attempting any of these actions will display the error: "Selected action Not Supported for Hybrid Certificates."

Additionally, status change from MonitoredManaged, device connector push/bind operations are disabled for Hybrid End Certificates.

In the CLM holistic view, composite CAs support only the Download Certificate action.

Compliance of Composite Certificates

Compliance checks are automatically skipped for Composite certificates. This applies to:

  • Scheduled compliance evaluations
  • Manually triggered compliance checks
  • API-triggered compliance evaluations
Note: Why are compliance checks skipped? Existing compliance policies are designed for classical and standalone PQC algorithms. They do not yet support composite algorithm combinations, and evaluating composite certificates against these policies would produce false non-compliance results.
  • The compliance status for Composite certificates is displayed as blank in the certificate inventory.
  • Composite certificates are excluded from the Policy Compliance Report.
  • Overall compliance metrics and crypto scores are not impacted by composite certificates.
Note: When a composite certificate is assigned to a different certificate group (even one with a different compliance policy), compliance evaluation remains skipped.