Frequently Asked Questions

This section addresses common questions related to CERTInext features including Discovery, Provisioning, CA Integration, Key Management, Monitoring, Roles, and Trust Management.

1. What is CERTInext used for?

CERTInext is a Certificate Lifecycle Management (CLM) platform that automates discovery, issuance, deployment, renewal, revocation, monitoring, and reporting of digital certificates across enterprise environments.

2. Does CERTInext support both Public and Private CAs?

Yes. CERTInext integrates with Public CAs (e.g., emSign) and Private CAs (emCA, Microsoft AD CS, internal hierarchies), enabling centralized lifecycle orchestration.

3. Can CERTInext manage certificates issued outside the platform?

Yes. Discovery bots identify certificates issued by external CAs and import them into inventory for monitoring and lifecycle tracking.

4. What environments can Discovery Bots scan?

Bots can scan:

• Web/App servers

• File systems

• Remote servers via SSH / WinRM

• LDAP / Active Directory

• HSMs

• Cloud platforms (AWS ACM, etc.)

• Load balancers and network appliances

5. Can CERTInext operate in air-gapped environments?

Yes. Bots support restricted and air-gapped deployments using offline installation bundles and controlled connectivity models.

6. How does automated renewal work?

Renewal is triggered based on configured thresholds (e.g., 30 days before expiry). The provisioning bot submits a renewal request to the configured CA and deploys the certificate automatically.

7. What happens if deployment fails?

If rollback protection is enabled, CERTInext reverts to the previously deployed certificate. Deployment logs help diagnose configuration or permission issues.

8. Does CERTInext support Domain Control Validation (DCV)?

Yes. Supported methods include:

• HTTP-01

• DNS-01

• TLS-ALPN-01

• Email-based validation

Automation depends on CA capabilities and DNS integration.

9. Can I create my own Private CA hierarchy?

Yes. CERTInext allows creation of Root and Subordinate CAs along with customizable certificate products and extensions.

10. How are trust stores managed?

Administrators can upload and manage Root and Intermediate certificates to maintain complete trust chains and validation workflows.

11. What is the difference between Discovery and Provisioning bots?

• Discovery Bots identify and monitor certificates.

• Provisioning Bots issue, renew, and deploy certificates.

• Bots can be configured for either or both functions.

12. Can CERTInext integrate with Microsoft CA (AD CS)?

Yes. Integration is supported through AD CS Web Enrollment connectors for automated issuance and lifecycle control.

13. How is key management handled?

CERTInext supports symmetric and asymmetric key generation, rotation, deletion, and storage via HSM or PKCS12 key profiles.

14. Can private keys be protected in HSM?

Yes. HSM-based key profiles ensure hardware-backed key generation and non-exportable private keys.

15. How does certificate monitoring work?

Monitoring includes:

• Expiry alerts

• Policy violation alerts

• CT Log monitoring

• Dashboard KPIs

• Reporting and exports

16. What types of alerts are supported?

• Expiry Alerts

• Policy Violation Alerts

• Deployment failure alerts

• Renewal notifications

Alerts can be delivered via configurable notification channels.

17. What reporting options are available?

Users can generate and export:

• Certificate inventory reports

• Bot status reports

• Expiry reports

• Audit logs

Exports are available in Excel and PDF formats.

18. How does role-based access control work?

CERTInext uses granular RBAC with:

• Custom roles

• Approval workflows

• Separation of duties

• Delegation capabilities

• Service accounts and API tokens

19. Does CERTInext support Single Sign-On (SSO)?

Yes. SSO integration enables centralized identity authentication using enterprise identity providers.

20. Can APIs be used for automation?

Yes. CERTInext provides REST and ACME APIs for automated certificate operations and system integration.

21. How are commissions managed for Partners?

Partner accounts operate on a wallet-based model with automated commission calculation and tracking via ledger reports.

22. How are Root and Intermediate certificates handled?

They can be uploaded, viewed, and managed to maintain complete certificate chain validation.

23. What happens if a CA connector fails?

Certificate requests remain queued until connectivity is restored. Connector status and logs help diagnose issues.

24. Can multiple bots be deployed?

Yes. Multiple bots can be deployed across regions, environments, and network segments for scalability.

25. How can I ensure high availability?

Best practices include:

• Deploying multiple bots

• Monitoring dashboard KPIs

• Enabling alerts

• Regularly validating CA connectors

• Maintaining updated trust stores

26. Are all actions auditable?

Yes. CERTInext logs:

• Certificate lifecycle events

• Key operations

• CA integration actions

• User and role changes

• Bot activities

These logs support compliance and audit requirements.

27. Is CLM users able to query certificate inventory in real-time? Does it cover all products in one location?

Yes. CERTInext provides real-time visibility into certificate inventory through the centralized Discovery and Provisioning dashboards. All certificates—whether issued by public CAs (emSign, DigiCert, etc.), private CAs (emCA, AD CS), cloud platforms (AWS ACM, Kubernetes), or network devices - are aggregated into a single unified inventory view.

Inventory can be accessed via:

• Web dashboard (real-time UI view) • Filtered search queries • REST APIs for programmatic access

All products and certificate types are consolidated in one location, including SSL/TLS, S/MIME, private PKI, and device certificates. Real-time status reflects expiry, vulnerability posture, deployment status, and lifecycle stage.

28. What reports are available?

CERTInext provides comprehensive reporting capabilities across the certificate lifecycle. Available report categories include:

• Certificate Inventory Reports • Expiry and Renewal Forecast Reports • Vulnerability and Compliance Reports • CA-wise Issuance Reports • Provisioning and Deployment Status Reports • Key Management and Cryptographic Strength Reports • User and S/MIME Provisioning Reports • Bot Activity and Discovery Reports • Audit Trail and Lifecycle Event Reports

Reports can be filtered by CA, environment, business unit, expiry window, certificate type, and custom tags.

29. What metadata are being captured?

CERTInext captures extensive certificate and operational metadata, including:

• Common Name (CN) • Subject Alternative Names (SAN) • Issuer CA • Serial Number • Signature Algorithm • Key Algorithm and Key Size • Validity Period (Issued On / Expires On) • Expiry Remaining (Days) • Certificate Type (DV, OV, EV, Private, S/MIME) • Deployment Location (Host/IP/Port) • Discovery Source (Bot, Import, Cloud, API) • Order ID (for CA-issued certificates) • Vulnerability Status • Revocation Status • Tags and Organizational Mapping • Provisioning Bot Mapping • Last Provisioned Timestamp • DCV Status (where applicable)

This metadata supports lifecycle tracking, compliance validation, and operational governance.

30. Can all metadata be used to create reports?

Yes. All captured metadata fields are available for filtering, querying, and report generation within CERTInext. Administrators can:

• Apply advanced filters across any metadata field • Combine multiple filter conditions • Customize report columns • Create environment-specific or CA-specific reports

Metadata can also be accessed via REST APIs for integration with external BI, GRC, or compliance systems.

31. Outline available report formats: CSV, Excel, PDF, Word, etc.

CERTInext supports multiple export formats to meet operational and compliance requirements:

• CSV – For data processing and integration • Excel (.xlsx) – For detailed analysis and audit tracking • PDF – For management summaries and compliance documentation

Exports reflect applied filters and customized column views. Word format is typically supported through PDF or Excel exports that can be integrated into documentation workflows.

32. Outline Delivery Methods Supported: Email, Download, REST/API

CERTInext supports multiple report delivery mechanisms:

• Direct Download from dashboard (CSV, Excel, PDF) • Scheduled Email Delivery (for periodic reports such as expiry alerts or compliance summaries) • REST API Access for automated retrieval and integration with external systems

API-based retrieval enables integration with:

• SIEM platforms • GRC systems • ITSM tools • Enterprise reporting dashboards

This ensures flexible, automated, and enterprise-ready reporting capabilities.