Skip to content

Tagging certificates

In TLS Protect Cloud, tags are user-defined keys or key:value pairs that can be assigned to certificates. Tags allow you to add customized meta information to certificates beyond just the certificate properties. This gives you more insight and control in managing your certificate inventory, and it provides the ability for 3rd party integrations to act based on the presence or absence of tags.

Example

One example use of tags might be to use a team-name:purpose tagging convention. Following that convention, you might have tags such as infrastructure:loadbalancer and infrastructure:database.

Once the tags are assigned, you can filter the certificate inventory using them. This gives you a quick and easy way to view your inventory based on the tags that you create and assign, and will help you create, organize, and manage your certificate management tasks.

You can add tags to a certificate request, or you can add and edit tags for existing certificates.

Before you begin

  • Resource Owners can create, assign, and remove tags only when selecting a certificate that belongs to an application that the Resource Owner owns. Resource Owner can also filter the certificate inventory using tags. Other tagging tasks must be performed by an administrator.
  • Know at least one of the keys or key:value pairs you want to create as a tag. Once created, these cannot be changed or deleted from the TLS Protect Cloud UI (though they can be deleted using the API). You can create new tags at any time.
  • Creating a key:value pair also creates a standalone tag for the key value. For example, if you create a tag called infrastructure:database, two tags will be created: infrastructure and infrastructure:database.
  • A certificate can have a maximum of 20 tags assigned to it.

Assigning tags to an existing certificate

  1. Open the certificate inventory by going to Inventory > Certificates.
  2. In the left navigation, select the certificates you want to add a tag to by clicking the checkbox next to the certificate.
  3. In the local menu bar, click Tag > Add Tags.
  4. Click in the Tags field to open a list of existing tags, and select the tags you want to apply. (Or you can click the Assign link in the Tags section on the certificate.)
  5. If the tag doesn't yet exist, type the tag name or key:value pair into the Tags field.

    When creating new tags

    • Creating a key:value pair also creates a standalone tag for the key value. For example, if you create a tag called application:database, two tags will be created: application and application:database.

    • Once tags are created, the tag name cannot be changed or deleted using the UI, even if they aren't assigned to any certificates. Double-check that you've entered all new tag names correctly before saving.

    • You can have multiple versions of a key with different values.

  6. The Tags field will populate with the tags you select.

  7. If you want to replace the existing tags, click Replace current tag assignments. If you leave this unchecked, the tags will be added to the existing set.
  8. Click Save.

Once the tags are applied, you'll see them listed under the Tags heading when viewing certificate details. You'll also see them listed in the Tags column when in the list view of the certificate inventory. The tags for a certificate are maintained when you renew the certificate.

Changing tags assigned to a certificate

Changing the tags on a single certificate

  1. Open the certificate inventory by going to Inventory > Certificates.
  2. Select the certificate that you want to change the tag assignment for.
  3. In the local menu bar, click Tag > Add Tags.
  4. Remove any existing tag assignments by clicking the delete icon for the tags you want to remove.

    image showing the delete tag icon

  5. Add any new tag assignments. You can select existing tags or create new tags to add. Keep in mind that there is a limit of 20 tags.

  6. Click Save.

Modifying the values of tags on a single certificate

  1. Open the certificate inventory by going to Inventory > Certificates.
  2. Select the certificate whose tags you want to edit.
  3. In the local menu bar, click Tags > Edit Tags.
  4. Edit the values for the existing tags.
  5. Click Save.

Changing the tags on multiple certificates

  1. Open the certificate inventory by going to Inventory > Certificates.
  2. Click the checkboxes next to the certificates that these tag changes should apply to.
  3. In the local menu bar, click Tag > Add Tags. (Or, you can click the Tag link on the certificate details.)
  4. Add any new tag assignments. You can select existing tags or create new tags to add.
  5. If you want to replace existing tag assignments for the selected certificates, check the Replace current tags checkbox. Leave it unchecked if you just want to add the new tag assignments and leave the current tag assignments as they are.

    Notes

    • If adding tags causes one or more certificates to exceed the 20 tag limit, no changes will be made to those certificates, and a message will be displayed listing the certificates that weren't changed. The changes will still be applied to certificates that don't exceed the limit.

    • If all the certificates exceed the 20 tag limit, then the operation fails with a message that all certificates exceed the limit.

    • The Replace current tags checkbox is available only when changing the tags on multiple certificates. To change the tags on a single certificate, follow the steps in Changing the tags on a single certificate above.

  6. Click Save.

Clearing all tags from a certificate

You can clear the tag assignments from any certificate. Clearing the assignments clears all tags from the certificate.

  1. Open the certificate inventory by going to Inventory > Certificates.
  2. In the left navigation, select the certificates you want to clear the tags from by clicking the checkbox next to the certificate.
  3. In the local menu bar, click Tag > Clear Tags.
  4. Confirm that you want to remove all tag assignments from the certificate by clicking Clear.

The tag assignments are now cleared for the selected certificates. Note that neither clearing tag assignments nor retiring the certificate deletes the tags themselves. The tags remain available in TLS Protect Cloud to be assigned to other certificates.

Filtering certificate inventory by tags

Once you have tags assigned to certificates, you can filter the certificate inventory based on those tags. To do so, select Tag from the Add Criteria drop-down, and then select the tags you want to filter on.

When filtering the inventory, you may notice that there is a system tag called Venafi. This tag is used by TLS Protect Cloud, and it can't be modified, assigned, removed, or deleted.

Viewing tagging event logs

All tagging events are logged in the TLS Protect Cloud event log. When filtering the event log, refer to the following table to view specific tagging events:

Tagging event Add Criteria Event
When a new tag is created Event Tags Created
When an existing tag is deleted from the system Event Tags Deleted
When a tag is removed from a certificate Event Certificate All Tags Deleted
When a tag replaces an existing tag on a certificate Event Certificate Tags Replaced
A tag is added to a certificate Event Certificate Tags Added
A tag is added to a certificate request Event Tags Assignment on Certificate Request