Skip to content

Managing certificate lifecycle settings

Managing the certificate lifecycle is key to an effective certificate management strategy. This topic describes the global certificate lifecycle settings available in Venafi Control Plane and provides steps on how to modify those settings.  

Prerequisite

Editing the global certificate lifecycle settings can be done only by a System Administrator or PKI Administrator.  

To access the global certificate lifecycle settings

  1. Sign in to Venafi Control Plane.
  2. Click Policies > Certificate Lifecycle.

This opens the certificate lifecycle page. The page is divided into the following sections:

Certificate discovery

This section allows you to clear the list of retired certificates currently on the "do not rediscover" list, or block list.

Click Clear List to remove all certificates from this list.

Removing individual certificates from the block list

If you need to recover specific certificates rather than clearing the entire list, see the steps in recovering retired certificates.

Alternatively, you can use the following API methods to view whether a specific certificate is on the block list, and if so, to remove it:

  • GET /v1/certificateblocklist/{fingerprint}. The certificate fingerprint will be returned if it is on the block list.
  • DELETE /v1/certificateblocklist/{fingerprint}. This deletes the specific certificate identified by the fingerprint.

To view the entire block list, use GET /v1/certificateblocklist/.

Certificate auto-renewal and provisioning

This section sets the global auto-renewal and provisioning threshold and allows you to run auto-renewal manually. For more information, see configuring default auto-renewal settings.

Certificate expiration notification policy

This section allows you to enable and configure the certificate monitoring service and to set up email notifications. For more information, see setting up certificate expiration notifications.

Certificate expiration reporting policy

This section allows you to enable and configure certificate expiration reports, which are comprehensive reports in CSV format that list certificates due to expire within a predetermined number of days. For more information, see setting up certificate expiration reports.

Certificate retirement

This section allows you to specify the number of days between when a certificate is retired and when it is deleted from Venafi Control Plane. It also allows you to restrict certificate retirement to System Administrators and PKI Administrators. For more information, see retiring and recovering certificates.