The Logs > Certificate Management tab displays certificate-related log entries. You can:
- View certificate log entries
- Search certificate log entries
- Remove selected certificates from the log
- Revoke selected certificates from the log
- Re-enroll selected certificates from the log
Actions on certificates are logged in Logs > Audit Logsin the Certificate category.
How to search for certificate entries
When viewing the Certificate Management page, you can search for entries based on:
- Expiration date
- In the Admin Portal, go to Logs > Certificate Management.
- Specify one or more of the criteria in the following steps to describe the certificates you want to display.
- (Optional) To specify a time range within which the certificates expired:
- In the Expiration Date Range field, click the calendar next to the field, and then click on a date. This date is the earliest day the certificates you are searching for expired.
In the To field click the calendar next to the field, and then click on a date. This date is the latest day the certificates you are searching for expired.
An error message displays if you select a day in the Expiration Date Range field earlier than the day specified in the To field. For example you receive an error message if you:
- An error message displays if you select a day in the Expiration Date Range field earlier than the day specified in the To field. For example you receive an error message if you:
Select November 13th in the Expired Date Range field (earliest time a certificate expired).
Select October 15th in the To field (latest time a certificate expired).
The search can return fewer than all the certificates that expired during the specified time period if you specify other criteria in Step 4.
(Optional) In Search by User/Setting Name, enter a username or a setting name.
Displays the name of the Certificate Enrollment setting.
Displays the configuration using the Certificate Enrollment.
The configuration displays only for a non-cached Certificate Enrollment. Configuration names are not available for certificates created in VSP Version 6.0 or earlier.
For a cached Certificate Enrollment certificate, you will always see - in the Setting Name, regardless of whether it was created prior to version 7.0 or created in version 7.0.
Search results are displayed in a table with the following columns:
The user name of the device user identified by the identity certificate.
The phone number associated with the device user identified by the identity certificate.
The email address associated with the device user identified by the identity certificate.
Certificate Enrollment Name
The name of the certificate enrollment (such as SCEP, Local, Entrust) used to issue the identity certificate.
The name of the setting that uses the certificate enrollment, such as an Exchange or [email protected] setting.
Indicates whether the certificate is a user-provided certificate enrollment. Otherwise, this field is left blank.
The date by which the identity certificate will no longer be valid.
Click the View link to see the contents of the identity certificate itself.
How to remove a certificate
This action removes the certificate from device, but does not remove the SCEP setting.
- Go to Logs > Certificate Management.
- Select the certificate that you want to remove.
- Click Actions > Remove.
How to revoke a certificate
You can revoke certificates created using a Local Certificate Authority, OpenTrust, Entrust API Version 9, and Symantec Web Service PKI. Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.
- Go to Logs > Certificate Management.
- Select the certificate that you want to revoke.
- Click Actions > Revoke.
The certificate will be added immediately to the CRL so the next time the device attempts to authenticate, authentication will fail.