Skip to main content

Recommended inventory saved views and reports

Trust Architecture Playbook: Baseline pillar

A certificate inventory that nobody can act on is just a database. Saved views and recurring reports are what convert visibility into operational discipline by surfacing the right information to the right people, on a cadence that keeps the program moving.

Start with three categories of views:

  • Cleanup: Any certificates missing owners or mandatory tags. These gaps undermine routing, alerting, and governance reporting, and they compound quickly if left unaddressed.

  • Risk reduction: Expiration views filtered by criticality tier, giving teams the runway they need to act before an outage, not after.

  • Control validation: Certificate Transparency (CT) anomalies and crypto hygiene findings that confirm issuance is happening through approved channels and that cryptographic standards are being maintained across the inventory.

Recommended views/reports

Build these inventory views early and schedule reports to run automatically. The goal is the right reporting, delivered consistently, so the program runs on process rather than on individual heroics.

No unknown certificates (cleanup views)

  • Missing owner (owner is empty).

  • Missing mandatory tags (any required tag missing).

  • Discovered but not managed (discovered via scan/connector, not yet under an automation plan).

Mis-issuance / rogue issuance (CT views)

  • New CT discoveries in the last 7 days (triage queue).

  • CT discoveries not matching approved issuers or expected issuance channels.

Crypto hygiene (policy baseline)

  • Weak key sizes or deprecated signature algorithms (per your policy).

  • Internet-exposed endpoints with noncompliant TLS posture (where endpoint data is available).

Automation readiness (sequencing views)

  • Critical application certificates expiring within 30/60/90 days by technical owner.

  • Certificates with high blast radius (wildcards or many SANs) to prioritize modernization.

  • Platform-specific queues (F5, IIS/Apache, Kubernetes ingress, cloud load balancers).

First 10 saved views starter pack

  • Missing owner

  • Missing mandatory tags

  • External certificates expiring in 30 days

  • Tier 0 certificates expiring in 30 days

  • New CT discoveries (last 7 days)

  • CT discoveries not issued by approved issuers

  • Weak crypto (policy checks)

  • Self-signed certificates in production

  • Duplicate certificates or key reuse hotspots (where detectable)

  • Endpoints without expected certificates (unsecured endpoints)

이 섹션의 내용: