Certificate Management

The Logs > Certificate Management tab displays certificate-related log entries. You can:

View certificate log entries
Search certificate log entries
Remove selected certificates from the log
Revoke selected certificates from the log
Re-enroll selected certificates from the log

Actions on certificates are logged in Logs > Audit Logsin the Certificate category.

How to search for certificate entries

When viewing the Certificate Management page, you can search for entries based on:

Expiration date
User
Setting

Procedure

In the Admin Portal, go to Logs > Certificate Management.
Specify one or more of the criteria in the following steps to describe the certificates you want to display.
(Optional) To specify a time range within which the certificates expired:
- In the Expiration Date Range field, click the calendar next to the field, and then click on a date. This date is the earliest day the certificates you are searching for expired.
- In the To field click the calendar next to the field, and then click on a date. This date is the latest day the certificates you are searching for expired.
  An error message displays if you select a day in the Expiration Date Range field earlier than the day specified in the To field. For example you receive an error message if you:
- An error message displays if you select a day in the Expiration Date Range field earlier than the day specified in the To field. For example you receive an error message if you:
  
  Select November 13th in the Expired Date Range field (earliest time a certificate expired).
  
  Select October 15th in the To field (latest time a certificate expired).
The search can return fewer than all the certificates that expired during the specified time period if you specify other criteria in Step 4.

(Optional) In Search by User/Setting Name, enter a username or a setting name.

Item	Description
Certificate Enrollment	Displays the name of the Certificate Enrollment setting.
Setting	Displays the configuration using the Certificate Enrollment. The configuration displays only for a non-cached Certificate Enrollment. Configuration names are not available for certificates created in VSP Version 6.0 or earlier. For a cached Certificate Enrollment certificate, you will always see - in the Setting Name, regardless of whether it was created prior to version 7.0 or created in version 7.0.

Item

Description

Certificate Enrollment

Displays the name of the Certificate Enrollment setting.

Setting

Displays the configuration using the Certificate Enrollment.

The configuration displays only for a non-cached Certificate Enrollment. Configuration names are not available for certificates created in VSP Version 6.0 or earlier.

For a cached Certificate Enrollment certificate, you will always see - in the Setting Name, regardless of whether it was created prior to version 7.0 or created in version 7.0.

Click Search.

Search results are displayed in a table with the following columns:

Item	Description
User	The user name of the device user identified by the identity certificate.
Phone Number	The phone number associated with the device user identified by the identity certificate.
Email	The email address associated with the device user identified by the identity certificate.
Certificate Enrollment Name	The name of the certificate enrollment (such as SCEP, Local, Entrust) used to issue the identity certificate.
Setting Name	The name of the setting that uses the certificate enrollment, such as an Exchange or Ivanti Web@Work setting.
Cert Type	Indicates whether the certificate is a user-provided certificate enrollment. Otherwise, this field is left blank.
Expiration Date	The date by which the identity certificate will no longer be valid.
Content	Click the View link to see the contents of the identity certificate itself.

How to remove a certificate

This action removes the certificate from device, but does not remove the SCEP setting.

Procedure

Go to Logs > Certificate Management.
Select the certificate that you want to remove.
Click Actions > Remove.

How to revoke a certificate

You can revoke certificates created using a Local Certificate Authority, OpenTrust, Entrust API Version 9, and Symantec Web Service PKI. Revoking a certificate adds the certificate to the CRL (Certificate Revocation List). When a device authenticates with Ivanti EPMM, the system first checks the CRL to verify that the certificate is not on the list. If the certificate is on the list, authentication fails.

Procedure

Go to Logs > Certificate Management.
Select the certificate that you want to revoke.
Click Actions > Revoke.

The certificate will be added immediately to the CRL so the next time the device attempts to authenticate, authentication will fail.

How to re-enroll a SCEP certificate

This feature is not supported on iOS Mac devices.