Certificate Management
Feature Documentation – v6.0.0 - Open-AudIT Enterprise
1. Overview
Certificate Management is an Enterprise feature introduced in Open-AudIT v6.0.0. It gives network administrators and security teams a centralised, auditable view of every SSL/TLS certificate discovered across their managed estate.
By combining Open-AudIT's existing device audit capabilities with certificate-specific tracking fields and scheduled reporting, the feature enables organisations to:
Identify all certificates in use across Windows and Linux endpoints.
Flag certificates for active management, assigning ownership and renewal responsibility.
Detect certificates approaching expiry before they cause outages or compliance failures.
Produce regular reports for security reviews and audit purposes.
Note: Certificate Management requires an Open-AudIT Enterprise licence. It is not available in the Community edition.
2. How It Works
Open-AudIT discovers certificates as part of its standard device auditing process. No separate scanning agent or additional configuration is required beyond a normal discovery. When a Windows or Linux device is audited, the audit script collects certificate data from the local certificate stores (Windows) or from common file system locations and running services (Linux).
Once device data is processed, Open-AudIT extracts the certificate records and stores them as a distinct component type, separate from software, hardware, and other device components. These certificate records are then accessible through the Certificate Management interface.
At a high level, the data flow is:
A scheduled or manual discovery targets a device.
The audit script runs on the target and collects certificate information.
Results are returned to the Open-AudIT server and processed.
Certificate records are created or updated in the database.
Administrators view, annotate, and report on the certificates via the GUI.
3. Accessing Certificate Management
Certificate Management is accessed through the Open-AudIT web interface. The primary navigation path is:
Menu → Manage → Certificates → List Certificates
From the List Certificates page, administrators can:
View all certificates discovered across the estate.
Filter and search by hostname, expiry date, issuer, or managed status.
Open an individual certificate record to view full details and update management fields.
Export certificate data for offline reporting.
4. Certificate Record Fields
Each certificate record in Open-AudIT contains a combination of automatically discovered fields and user-defined management fields. The table below describes all fields:
Field | Description | Source |
Common Name (CN) | The primary domain name the certificate is issued for (e.g. oa.example.com). | Discovery |
Subject Alternative Names | Additional hostnames or IPs covered by the certificate. | Discovery |
Issuer | The Certificate Authority (CA) that signed the certificate. | Discovery |
Valid From | The date and time the certificate becomes valid. | Discovery |
Valid To / Expiry | The date and time the certificate expires. Used for expiry alerting. | Discovery |
Serial Number | Unique identifier assigned by the CA. | Discovery |
Thumbprint / Fingerprint | SHA-1 or SHA-256 hash of the certificate, used as a unique reference. | Discovery |
Key Length | The bit length of the public key (e.g. 2048, 4096). | Discovery |
Signature Algorithm | The algorithm used to sign the certificate (e.g. SHA256withRSA). | Discovery |
Store / Location | The Windows certificate store or file path where the certificate resides. | Discovery |
Owner / Responsible Party | Person or team responsible for renewal and management. | User-defined |
Auto-Renew | Whether the certificate renews automatically (e.g. via Let's Encrypt or ACME). | User-defined |
Notes | Free-text notes for tracking context, vendors, or renewal instructions. | User-defined |
Managed | Flag to indicate the certificate is being actively tracked in Open-AudIT. | User-defined |
Note: Discovery fields are populated automatically during the audit and cannot be edited. User-defined fields are editable from the certificate detail view.
5. Marking a Certificate as Managed
Not every discovered certificate needs active management. The Managed flag allows administrators to distinguish between certificates that are being actively tracked (e.g. public-facing TLS certificates) and those that are incidental or internal (e.g. self-signed development certificates).
To mark a certificate as managed:
Open the certificate record from List Certificates.
Click the Edit button.
Set the Managed field to Yes.
Assign an Owner / Responsible Party.
Set the Auto-Renew flag as appropriate.
Add any relevant Notes (e.g. vendor contact, renewal procedure).
Click Save.
Once marked as managed, the certificate will appear in management-specific queries and reports and will be included in expiry reporting.
6. End-to-End Management Workflow
The following table describes the recommended end-to-end workflow for managing certificates in Open-AudIT:
# | Step | Detail |
1 | Run a Discovery | Configure and run an Open-AudIT discovery against your network or a specific host. The audit script will retrieve certificates from the target device. |
2 | Review Certificates | Navigate to Manage → Certificates → List Certificates to see all certificates discovered across your estate. |
3 | Mark as Managed | Open a certificate record and enable the Managed flag. This adds it to active tracking and makes it visible in management reports. |
4 | Set Ownership | Assign an owner or responsible party to the certificate record so it is clear who handles renewal. |
5 | Configure Auto-Renew | Note whether the certificate uses automatic renewal (e.g. Let's Encrypt / ACME). Manually renewed certificates require closer attention. |
6 | Schedule Reports | Create a scheduled report or query filtered to certificates expiring within a defined window (e.g. 45 days). Run at the start of each month or on a defined schedule. |
7 | Act on Expiry Alerts | Review the report output. Renew or escalate certificates that are approaching expiry and are not set to auto-renew. |
7. Expiry Reporting
Proactive expiry management is the primary value of the Certificate Management feature. Open-AudIT's query and report engine can be used to create a recurring certificate expiry report with minimal configuration.
Recommended Approach
The suggested approach, as described in the Open-AudIT v6.0.0 release notes, is to produce a monthly report listing all managed certificates that will expire within the next 45 days. This provides sufficient lead time for manual renewal while avoiding noise from certificates with a comfortable remaining life.
The report should include, at minimum:
Certificate Common Name (CN)
Hostname / Device the certificate resides on
Expiry date (Valid To)
Owner / Responsible Party
Auto-Renew status
Number of days until expiry
Scheduling the Report
To schedule an automatic monthly expiry report in Open-AudIT:
Navigate to Menu → Report → Create Report.
Build a query against the certificates collection, filtered to Managed = Yes and Valid To within the next 45 days.
Save and schedule the report to run on the first day of each month.
Configure email delivery to the relevant certificate owners or a distribution list.
Note: Adjust the expiry window (e.g. 30 days, 60 days) to match your organisation's renewal lead times. Public CA certificates may require longer lead times than internally issued certificates.
8. Integration with Discovery
Certificate data is refreshed each time a device is audited. Open-AudIT will update existing certificate records if the certificate has changed (e.g. renewed) and will add new records for certificates not previously seen. Certificates that are no longer present on a device will be flagged as removed.
In Open-AudIT v6.0.0, Windows device auditing has moved from VBScript to PowerShell. This change improves the breadth and reliability of data retrieval, including certificate information. The PowerShell audit script retrieves certificates from the Windows certificate stores (e.g. LocalMachine\My, LocalMachine\Root, LocalMachine\CA) with the same coverage as the previous VBScript-based approach.
For Linux devices, certificates are collected from common system locations and from services that expose them (such as web servers). SSH credentials with appropriate permissions are required for full certificate discovery on Linux targets.
Note: To ensure certificate data stays current, schedule regular discoveries against all managed hosts. A weekly or daily discovery cadence is recommended for hosts with certificates approaching expiry.
9. Access Control and Permissions
Certificate Management respects Open-AudIT's existing Role-Based Access Control (RBAC) model. Access to certificate records is governed by the same Organisation and Role assignments used for all other Open-AudIT resources.
Users with the Administrator role have full read and write access to all certificate records.
Users with the Security role (where configured) may be granted read access to certificate records for audit purposes.
Standard users can view certificates within their assigned Organisations, subject to their Role permissions.
Editing user-defined management fields (Owner, Auto-Renew, Notes, Managed flag) requires write permission to the certificate resource.
Consult your Open-AudIT administrator if you require access to certificate records and do not currently have it.
10. Audit Logging
Open-AudIT v6.0.0 introduces CEF (Common Event Format) syslog integration. Certificate-related changes can contribute to the component event log stream, which captures additions and removals of device components — including certificates.
To enable component logging to syslog in CEF format, set the following configuration option:
feature_syslog_components = y
When enabled, each time a certificate component is added to or removed from a device record, Open-AudIT will write a CEF-formatted entry to the system syslog. These entries can be ingested by SIEM platforms such as Splunk for centralised security monitoring.
Note: Component syslog logging can be verbose on large networks. It is not recommended to enable this globally except in specific audit or compliance scenarios. See the Open-AudIT v6.0.0 Release Notes for full details of CEF log format and available configuration items.
11. Best Practices
Mark certificates as managed as soon as they are discovered on production systems. This ensures they are included in expiry reporting from day one.
Assign a named owner to every managed certificate. Avoid using generic group names — a named individual ensures accountability.
Record whether a certificate is auto-renewing. Manually renewed certificates need closer monitoring and should have a shorter alert window.
Use the Notes field to capture renewal procedures, vendor contacts, and any non-standard steps required to update the certificate on the target device.
Run discoveries regularly — at minimum weekly — against hosts with active managed certificates to ensure expiry dates are current.
Review the expiry report at the start of each month and confirm that all certificates within the alert window are either already renewed or have a renewal action in progress.
For externally issued certificates, note the CA vendor and any registration or validation requirements in the Notes field to reduce renewal lead time.
12. Troubleshooting
Certificates Not Appearing After Discovery
If certificate records do not appear after running a discovery, check the following:
Confirm the target device was successfully audited. Review the discovery log for errors or incomplete audit results.
For Windows targets, verify that the audit is using the new PowerShell script (available from v6.0.0). Older VBScript-based audits may not return certificate data in the expected format.
For Linux targets, confirm that SSH credentials have sufficient permissions to read certificate stores and web server configuration.
Check that the Open-AudIT server is running v6.0.0 or later. Certificate Management is not available in earlier versions.
Certificate Records Not Updating After Renewal
After a certificate is renewed on a device, the Open-AudIT record will only update when the device is next audited. Run a targeted discovery against the renewed host to refresh the certificate data immediately.
Expiry Report Missing Certificates
If expected certificates are absent from expiry reports:
Check that the certificate record has the Managed flag set to Yes. Unmanaged certificates are excluded from management reports by default.
Confirm the report query includes the correct date filter for the Valid To field.
Verify that the target host is within the scope of the discovery used to populate certificates.
13. Related Features
Certificate Management in Open-AudIT v6.0.0 complements several other features in the platform:
Vulnerability Detection Vulnerabilities – certificates using deprecated algorithms or weak key sizes may correlate with CVE findings identified by the Vulnerability Detection engine.
ISO 27001 Standards Reporting Standards Reporting – ISO 27001 controls related to cryptographic controls (A.10.1) and information access restriction can reference certificate management evidence produced by this feature.
Syslog / CEF Integration CEF Syslog – certificate component events can be forwarded to a SIEM for centralised security event management.
Agents Agents – the new MacOS and Linux agents (v6.0.0) can collect certificate data from endpoints that are difficult to reach via traditional network discovery.
Scheduled Reports Scheduled Reports – Open-AudIT's report scheduling engine enables automated delivery of certificate expiry reports without manual intervention.