Skip to main content

Assignment rules for certificate metadata

With the Rules feature in DigiCert​​®​​ Trust Lifecycle Manager, you can define policies to automatically assign the following metadata types to certificates discovered or imported into your account:

  • Custom attributes: Name-value pairs with information about your organization, such as service departments or cost centers.

  • Certificate owners: Email contacts who should receive notifications about certificate lifecycle events.

  • Tags: Text labels to help identify different groups or types of certificates.

These metadata fields help you identify, monitor, and manage the certificates once they're added to your inventory in Trust Lifecycle Manager.

Anatomy of a rule

Each rule defines the following options for when and how to assign metadata to a discovered or imported certificate:

  • Conditions: Which certificates to assign the metadata to, based on certificate attributes such as the CA vendor, security rating, subject DN, issuing CA, and cryptographic properties.

  • Assignments: The metadata fields to assign to the matching certificates, which can include a mix of custom attributes, certificate owners, and tags.

  • Targets: The source of the certificates, which can include import or discovery operations from Connectors, Network scans, System scans, or CT logs monitoring.

    重要

    You can specify targets when configuring the rule, or assign the rule directly to targets later. All other options (conditions and metadata assignments) must be defined in the rule configuration.

Create a rule

To create a new metadata assignment rule in Trust Lifecycle Manager:

  1. In the Trust Lifecycle Manager menu, go to Policies > Rules.

  2. Select Create rule on the right.

    Complete the resulting form as described below.

  3. Rule name: Enter a name to help identify this rule.

  4. Description: Enter a description to help identify the purpose of this rule.

  5. Conditions: Select Add conditions on the right. In the sidebar that opens, define the conditions for which certificates to assign metadata to:

    1. Attribute: Select a certificate attribute to match.

    2. Operator: Select how to match the attribute value.

    3. Value: Enter the value to match.

    4. (Optional) Use the AND and OR buttons to add more matching conditions.

      注記

      AND means all conditions must match. OR means any condition can match.

    5. Select Save at the bottom of the sidebar to save the conditions.

  6. Assignments: Select Add assignments on the right. In the sidebar that opens, define the metadata to assign to the matching certificates:

    1. In the Assign dropdown, select the type of metadata to assign:

      • Custom attributes: Select the name of the attribute to assign. Depending on the attribute type, enter the attribute value or select it from the dropdown. For fixed value attributes, the value is displayed but can’t be modified.

      • Tags: Select Tags, then select the tag values to assign from the dropdown.

      • Certificate owners: Select Owners, then select the owner contacts to assign from the dropdown.

    2. (Optional) Select Add assignment to assign more types of metadata.

    3. Select Save at the bottom of the sidebar to save the assignments.

  7. Targets (Optional): You can specify targets when configuring the rule, or assign the rule directly to targets later. To assign later, skip this step.

    To specify targets as part of the rule configuration, select Add targets on the right. In the sidebar that opens, define the data sources for the imported or discovered certificates to target for this rule:

    1. Target: Select one of the following targets:

      • Connector: Process certificates imported from a connector. Select the applicable connector(s) from the dropdown.

      • Network scan: Process certificates discovered by a network scan. Select the applicable network scan(s) from the dropdown.

      • System scan: Process certificates discovered by a system scan. Select the applicable DigiCert agent(s) from the dropdown.

      • CT logs: Process certificates discovered through CT logs monitoring. The rule applies to all CT log certificates and no further selections are required.

    2. (Optional) Select Add target to specify more certificate data sources to target.

    3. Select Save at the bottom of the sidebar to save the targets.

      注記

      For details about assigning the rule directly to targets, see Assign rules directly to a target.

  8. Review all the options you defined for the rule. If you need to make changes:

    • Conditions: Select Edit to change any aspect of the certificate matching conditions.

    • Assignments:

      • Select the pencil icon to edit an individual metadata assignment, or the minus icon to delete an assignment.

      • Select Add assignments to assign more metadata fields.

    • Targets:

      • Select the pencil icon to edit an individual certificate data source, or the minus icon to delete a data source.

      • Select Add targets to apply the rule to more certificate data sources.

  9. When you're ready, select the Save rule button at the bottom to save the overall rule.

What happens after creating a rule?

When you create a new rule:

  • For all subsequent import or discovery operations on the targets you defined, any certificates that match the conditions will automatically get the metadata assignments you specified.

  • The rule does not apply to existing certificates already added to your inventory from those targets. However, if the same certificates are found in subsequent import or discovery operations, the rule gets applied and the metadata is assigned to them.

To verify the rule in Trust Lifecycle Manager, go to Policies > Rules:

  • Select the Rule name link to see all the configuration details for the rule.

  • The Status column shows Active when the rule is in effect.

  • For rules with multiple targets, hover or select the Targets column to see all the targets.

ヒント

Use the Inventory functions to filter and verify the assigned metadata in the certificates themselves.

Assign rules directly to a target

Instead of specifying targets in the rule configuration, you can wait and assign the rule directly to targets.

Each target is a specific source of discovered certificates (connector, scan, or CT logs). When configuring the connector, scan, or CT logs monitoring, select the applicable rule(s) to apply from the Certificate assignment rules dropdown.

The end result is the same. The target is added to the rule definition, and the rule gets applied to all subsequent certificates imported or discovered from the connector, scan, or CT logs.

Manage existing rules

Manage existing rules from the Policies > Rules page in Trust Lifecycle Manager. Available management actions are described below.

Pause or resume a rule

New rules you create are marked as Active by default. You can pause or resume a rule to control when it runs:

  • To temporarily pause a rule, select the pause icon on the right of the rule listing. While paused, the status shows Inactive and the rule doesn’t get applied anywhere.

  • To resume a paused rule, select the play icon on the right of the rule listing. Active rules get applied against the defined targets each time there’s a new import or discovery operation.

Edit a rule

To edit the configuration options for an existing rule:

  1. Select the pencil icon on the right of the rule listing.

  2. Update the options for the rule as described in the Create a rule section above.

  3. Select the Update rule button at the bottom to save your changes.

Delete a rule

To disable and permanently remove a rule from your account:

  1. Open the actions menu () on the right of the rule listing, and select Delete.

  2. In the popup that opens, select Delete to confirm the operation and delete the rule.

このセクションの内容: