HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

Certificates inventory reporting

Beta feature

This feature is currently available as a beta release. Beta functionality is stable but possibly incomplete and subject to change. We strongly discourage using beta features in production.

Limitations for beta

Certificates inventory reporting is available for:

  • ACME, SCEP, EST, CMPv2, and Vault issued certificates
  • Root, intermediate and leaf certificates

Using Vault to manage certificates can increase security, and reduce operational overhead to protect sensitive data. However, it is critical to set the right permissions to control access to those data.

Vault certificates inventory reporting increases visibility into the certificates Vault manages through the UI and API. The reporting services use telemetry to collect and surface data that shows when users access, modify, or allow certificates to expire.

Prerequisites

To view the inventory reports, make sure to enable the reporting on your HCP Vault Dedicated clusters.

View certificates inventory report

The admin role has access to certificates and secrets inventory reporting. For non-admin users, you need the Report reader role for Vault reporting service in addition to view the certificates inventory report.

This grants access to certificates reporting as well as secret inventory reporting, and the ability to use a cluster's saved views but not modify them.

Tip

Refer to the access management page to learn more about assigning IAM roles.

  1. In the HCP Portal, select Vault Dedicated.

  2. Select Certificates Inventory. Certificates inventory reporting dashboard example

    You can filter the data using the saved views. Also, you can order the Common name and Valid until timestamps in ascending or descending dates. Certificates inventory reporting filters

Available column data

You can select or deselect the column fields to display.

The table below lists available column fields and their description.

Table ColumnDescription
Common nameThe identifier for the certificate
StatusIndicates if the certificate is active or expired.
RoleThe Vault role used to issue the certificate.
Valid untilThe timestamp of when the certificate expires.
IssuerThe parent issuer of the certificate.
Serial NumberThe unique identifier assigned to this certificate by the Certificate Authority. Use this number to reference, audit, or revoke the specific certificate.
Certificate typeThe type of certificate (Root, Intermediate, or Leaf).
Valid fromRefers to Not Before certificate attribute. This is the start date and time when the certificate becomes valid and ready for use.
MountpathThe path of the certificates engine or authentication method was enabled at.
AlgorithimThe algorithm used for the private key (RSA, ECDSA, Ed25519).
Algorithim strengthThe number of bits used to generate the key. This value will vary depending on the algorithm used.
Mount accessorThe identifier of the mount which the certificate is apart of.
Revoked atThe timestamp of when the certificate was revoked.
Revoked bySpecifies the ID of the entity that requested the certificate authority to revoke the certificate.
Stored in vaultIndicates if the certificate is stored in Vault.

Saved views

Saved views are a combination of filters and fields applied to the certificates inventory report to return a specific set of data. When you enable reporting on your cluster, it creates two default saved views:

  • Expired certificates that have passed the designated validity period
  • Revoked certificates that are now invalid by the issuing certificate authority

You can rearrange those saved views and modify them to your specific organization's needs. As an administrator, you can edit and modify existing saved views which are available to any report reader or other admins on the Vault cluster to use. Project members with the report reader role will be able to use saved views that admins create but cannot modify them.

Create a saved view

  1. Create a saved view by making selections from the Role, Filters or Fields drop-downs.
  2. Click on saved view to the right of the Fields drop-down.
  3. Give your saved view a name which describes the data it is surfacing and a description of how to use that saved view.
  4. Click Save and your saved view will appear in the carousel in the last position.

Modify a saved view

  1. Click on the three dots to the right of the saved view title.
  2. Select Rename, and make edits.
  3. Click Update.

Rearrange your saved views by clicking on the three dots to the right of the saved view title and selecting Rearrange. Drag and drop the saved views in your preferred order and click save.

Download certificates inventory report

You can export the certificates inventory report data with filters applied.

  1. From the Certificate Inventory page, click Export.
  2. Select the desired file format: JSON, or CSV.
  3. Click Continue.
  4. Click Download records, and select the download location.

Note

You can export up to 1,000 rows of data. When the filtered report exceeds 1,000 rows of data, it returns an error.

Edit this page on GitHub