Skip to main content

Assignment rules for certificate metadata

With the Rules feature in DigiCert​​®​​ Trust Lifecycle Manager, you can define policies to automatically assign the following metadata types to certificates discovered or imported into your account:

  • Custom attributes: Name-value pairs with information about your organization, such as service departments or cost centers.

  • Certificate owners: Email contacts who should receive notifications about certificate lifecycle events.

  • Tags: Text labels to help identify different groups or types of certificates.

These metadata fields help you identify, monitor, and manage the certificates once they're added to your inventory in Trust Lifecycle Manager.

Anatomy of a rule

Each rule defines the following options for when and how to assign metadata to a discovered or imported certificate:

  • Conditions: Which certificates to assign the metadata to, based on certificate attributes such as the CA vendor, security rating, subject DN, issuing CA, and cryptographic properties.

  • Assignments: The metadata fields to assign to the matching certificates, which can include a mix of custom attributes, certificate owners, and tags.

  • Targets: The source of the certificates, which can include import or discovery operations on Connectors, Network scans, or System scans.

Create a rule

To create a new metadata assignment rule in Trust Lifecycle Manager:

  1. In the Trust Lifecycle Manager menu, go to Policies > Rules.

  2. Select Create rule on the right.

    Complete the resulting form as described below.

  3. Rule name: Enter a name to help identify this rule.

  4. Description: Enter a description to help identify the purpose of this rule.

  5. Conditions: Select Add conditions on the right. In the sidebar that opens, define the conditions for which certificates to assign metadata to:

    1. Attribute: Select a certificate attribute to match.

    2. Operator: Select how to match the attribute value.

    3. Value: Enter the value to match.

    4. (Optional) Use the AND and OR buttons to add more matching conditions.

      Avviso

      AND means all conditions must match. OR means any condition can match.

    5. Select Save at the bottom of the sidebar to save the conditions.

  6. Assignments: Select Add assignments on the right. In the sidebar that opens, define the metadata to assign to the matching certificates:

    1. In the Assign dropdown, select the type of metadata to assign:

      • Custom attributes: Select the name of the attribute to assign. Depending on the attribute type, enter the attribute value or select it from the dropdown. For fixed value attributes, the value is displayed but cannot be modified.

      • Tags: Select Tags, then select the tag values to assign from the dropdown.

      • Certificate owners: Select Owners, then select the owner contacts to assign from the dropdown.

    2. (Optional) Select Add assignment to assign additional types of metadata.

    3. Select Save at the bottom of the sidebar to save the assignments.

  7. Targets: Select Add targets on the right. In the sidebar that opens, define the data sources for the imported or discovered certificates to target for this rule:

    1. Target: Select one of the following targets:

      • Connector: Process certificates imported from a connector. Select the applicable connector(s) from the dropdown.

      • Network scan: Process certificates discovered by a network scan. Select the applicable network scan(s) from the dropdown.

      • System scan: Process certificates discovered by a system scan. Select the applicable DigiCert agent(s) from the dropdown.

    2. (Optional) Select Add target to specify additional certificate data sources to target.

    3. Select Save at the bottom of the sidebar to save the targets.

      Avviso

      You can also add targets directly from the scan or connector configuration. See Select rules when configuring a connector or scan for more details.

  8. Review all the options you defined for the rule. If you need to make changes:

    • Conditions: Select Edit to change any aspect of the certificate matching conditions.

    • Assignments:

      • Select the pencil icon to edit an individual metadata assignment, or the minus icon to delete an assignment.

      • Select Add assignments to assign additional metadata fields.

    • Targets:

      • Select the pencil icon to edit an individual certificate data source, or the minus icon to delete a data source.

      • Select Add targets to apply the rule to additional certificate data sources.

  9. When you're ready, select the Save rule button at the bottom to save the overall rule.

What happens after creating a rule?

When you create a new rule:

  • For all subsequent import or discovery operations on the targets you defined, any certificates that match the conditions will automatically get the metadata assignments you specified.

  • The rule does not apply to existing certificates already added to your inventory from those targets. However, if the same certificates are found in subsequent import or discovery operations, the rule gets applied and the metadata is assigned to them.

To verify the rule in Trust Lifecycle Manager, go to Policies > Rules:

  • Select the Rule name link to see all the configuration details for the rule.

  • The Status column shows Active when the rule is in effect.

  • For rules with multiple targets, hover or select the Targets column to see all the targets.

Suggerimento

Use the Inventory functions to filter and verify the assigned metadata in the certificates themselves.

Select rules when configuring a connector or scan

To add a connector or scan as a certificate data source in an assignment rule, you can use either of the following methods:

  • When configuring the rule under Policies > Rules, add the connector or scan to the list of Targets.

  • When configuring the connector or scan itself, select the applicable rule(s) in the Certificate assignment rules dropdown.

In both cases, the connector or scan is added to the list of targets for the rule. The rule gets applied to all subsequent import or discovery operations for that connector or scan.

Manage existing rules

Manage existing rules from the Policies > Rules page in Trust Lifecycle Manager. Available management actions are described below.

Pause or resume a rule

New rules you create are marked as Active by default. You can pause or resume a rule to control when it runs:

  • To temporarily pause a rule, select the pause icon on the right of the rule listing. While paused, the status shows Inactive and the rule does not get applied anywhere.

  • To resume a paused rule, select the play icon on the right of the rule listing. Active rules get applied against the defined targets each time there is a new import or discovery operation.

Edit a rule

To edit the configuration options for an existing rule:

  1. Select the pencil icon on the right of the rule listing.

  2. Update the options for the rule as described in the Create a rule section above.

  3. Select the Update rule button at the bottom to save your changes.

Delete a rule

To disable and permanently remove a rule from your account:

  1. Open the actions menu () on the right of the rule listing, and select Delete.

  2. In the popup that opens, select Delete to confirm the operation and delete the rule.