Understanding client certificates

Client certificates are used to authenticate the identity of a user or device to a server. They ensure secure communication by verifying the client’s identity and enabling encrypted data exchange between the client and the server.

In addition to providing a centralized view of client certificates and certificate details, SCM enables appropriately privileged administrators to do the following:

Revoke certificate — Revoke client certificates.
Download certificates — Download client certificates in various formats.
Manage private keys — Download or export stored private keys.

Client certificates can be managed on the Certificates Client Certificates page.

The following table describes the settings and controls of the Client Certificates page.

Column Description

Column	Description
ID	The unique numeric identifier of the certificate.
Status	The status of the certificate. The possible values are: Requested — The certificate request has been received in SCM and is awaiting approval. Issued — The certificate has been issued. Expired — The certificate has expired. Rejected — The certificate request has been rejected by the CA because of one or more issues. Pre-Revoked — The certificate is awaiting revocation by the certificate authority (CA). Revoked — The certificate has been revoked.
Order number	The unique identifier created by the issuing CA to represent the certificate request.
Certificate profile	The certificate profile used for the certificate request.
Sub type	The validation type of the certificate. The possible values are: Private — The certificate was issued by a private CA. Public Legacy — New certificates cannot be issued with this validation type. Public Mailbox Validated — The certificate is validated by the CA against control of the email address. Public Organization Validated — The certificate is validated by the CA against the organization. Public Sponsored Validated — The certificate is validated by the CA against both the individual and the organization.
Term	The validity period of the certificate.
Requested via	The method used to request the certificate or to bring it into SCM. The possible values are: Discovery — The certificate was discovered during a scan and brought into SCM for management. EST — The certificate was requested using an Enrollment over Secure Transport (EST) protocol endpoint. Enrollment Form — The certificate was requested using an external enrollment form. Imported — The certificate was manually imported into SCM. MS Agent — The certificate was requested using an MS agent. REST API — The certificate was requested using the REST API endpoint. SCEP — The certificate was requested using a Simple Certificate Enrollment Protocol (SCEP) endpoint. Web API — The certificate was requested using the Web API.
Organization	The organization to which the certificate recipient belongs.
Department	The department, if any, to which the certificate recipient belongs.
Name	The name of the person for whom the certificate was requested or issued.
Email	The email address of the person for whom the certificate was requested or issued.
Subject	The entity (such as, an individual, organization, or device) identified by the certificate, containing unique attributes that distinguish it from others.
Subject alt name	Additional names or attributes that identify the entity associated with the certificate. This can include alternative email addresses, user principal names (UPNs), IP addresses, or other identifiers relevant to client certificates.
Issuer	The name of the certificate and the issuing CA.
Expires	The date that the certificate expires.
Serial number	A unique serial number assigned to the certificate.
Key usage	The cryptographic operations that the certificate is valid for.
Extended key usage	Additional cryptographic operations that the certificate is valid for.
Key algorithm	The algorithm used to generate the key pair.
Key size / curve	The size of the key pair or the curve used to generate the key pair.
Signature algorithm	The algorithm used to sign the certificate.
MD5 hash	The MD5 hash (thumbprint/fingerprint) of the certificate.
SHA1 hash	The SHA1 hash (thumbprint/fingerprint) of the certificate.
Comments	Comments or notes about the certificate.
Requested	The date that the certificate was requested.
Issued	The date that the certificate was issued.
Downloaded	The date that the certificate was downloaded.
Revoked	The date that the certificate was revoked.
Replaced	The date that the certificate was replaced.
Deleted	The date that the certificate entry was deleted.
Key Vault	Indicates whether the private key is stored in the Sectigo Key Vault.
Table controls
Filter	Enables you to sort the table information using custom filters.
Group	Enables you to sort the table information using predefined groups.
Refresh	Refreshes the information presented in the table.
Download CSV	Downloads the table information as a `.csv` file.
Manage Columns	Enables you to select which table columns to display.
Admin controls
Delete	Opens the Delete Certificate dialog where you can delete the certificate entry from SCM.
View	Opens the Client Certificate page where you can view certificate details and perform various administrative tasks (such as, editing comments or downloading the certificate).
Revoke	Opens the Revocation Reason dialog where you can revoke the certificate.
Export to Intune	Opens the Export to Intune dialog where, if configured, you can export the certificate and private key from Sectigo Key Vault to Microsoft Intune.
View Audit	Opens the Certificate Audit page where you can view or download audit logs.

The unique numeric identifier of the certificate.

Status

The status of the certificate.

The possible values are:

Requested — The certificate request has been received in SCM and is awaiting approval.
Issued — The certificate has been issued.
Expired — The certificate has expired.
Rejected — The certificate request has been rejected by the CA because of one or more issues.
Pre-Revoked — The certificate is awaiting revocation by the certificate authority (CA).
Revoked — The certificate has been revoked.

Order number

The unique identifier created by the issuing CA to represent the certificate request.

Certificate profile

The certificate profile used for the certificate request.

Sub type

The validation type of the certificate.

The possible values are:

Private — The certificate was issued by a private CA.
Public Legacy — New certificates cannot be issued with this validation type.
Public Mailbox Validated — The certificate is validated by the CA against control of the email address.
Public Organization Validated — The certificate is validated by the CA against the organization.
Public Sponsored Validated — The certificate is validated by the CA against both the individual and the organization.

Term

The validity period of the certificate.

Requested via

The method used to request the certificate or to bring it into SCM.

The possible values are:

Discovery — The certificate was discovered during a scan and brought into SCM for management.
EST — The certificate was requested using an Enrollment over Secure Transport (EST) protocol endpoint.
Enrollment Form — The certificate was requested using an external enrollment form.
Imported — The certificate was manually imported into SCM.
MS Agent — The certificate was requested using an MS agent.
REST API — The certificate was requested using the REST API endpoint.
SCEP — The certificate was requested using a Simple Certificate Enrollment Protocol (SCEP) endpoint.
Web API — The certificate was requested using the Web API.

Organization

The organization to which the certificate recipient belongs.

Department

The department, if any, to which the certificate recipient belongs.

Name

The name of the person for whom the certificate was requested or issued.

The email address of the person for whom the certificate was requested or issued.

Subject

The entity (such as, an individual, organization, or device) identified by the certificate, containing unique attributes that distinguish it from others.

Subject alt name

Additional names or attributes that identify the entity associated with the certificate. This can include alternative email addresses, user principal names (UPNs), IP addresses, or other identifiers relevant to client certificates.

Issuer

The name of the certificate and the issuing CA.

Expires

The date that the certificate expires.

Serial number

A unique serial number assigned to the certificate.

Key usage

The cryptographic operations that the certificate is valid for.

Extended key usage

Additional cryptographic operations that the certificate is valid for.

Key algorithm

The algorithm used to generate the key pair.

Key size / curve

The size of the key pair or the curve used to generate the key pair.

Signature algorithm

The algorithm used to sign the certificate.

MD5 hash

The MD5 hash (thumbprint/fingerprint) of the certificate.

SHA1 hash

The SHA1 hash (thumbprint/fingerprint) of the certificate.

Comments

Comments or notes about the certificate.

Requested

The date that the certificate was requested.

Issued

The date that the certificate was issued.

Downloaded

The date that the certificate was downloaded.

Revoked

The date that the certificate was revoked.

Replaced

The date that the certificate was replaced.

Deleted

The date that the certificate entry was deleted.

Key Vault

Indicates whether the private key is stored in the Sectigo Key Vault.

Table controls

Filter

Enables you to sort the table information using custom filters.

Group

Enables you to sort the table information using predefined groups.

Refresh

Refreshes the information presented in the table.

Download CSV

Downloads the table information as a .csv file.

Manage Columns

Enables you to select which table columns to display.

Admin controls

Delete

Opens the Delete Certificate dialog where you can delete the certificate entry from SCM.

View

Opens the Client Certificate page where you can view certificate details and perform various administrative tasks (such as, editing comments or downloading the certificate).

Revoke

Opens the Revocation Reason dialog where you can revoke the certificate.

Export to Intune

Opens the Export to Intune dialog where, if configured, you can export the certificate and private key from Sectigo Key Vault to Microsoft Intune.

View Audit

Opens the Certificate Audit page where you can view or download audit logs.

Enrollment methods

SCM supports the enrollment of client certificates using the following methods:

Self-Enrollment — Manually enroll client certificates using a self-enrollment form outside of SCM. For more information, see Understanding enrollment forms.
MS agent — Enroll client certificates through Microsoft Active Directory Certificate Services (AD CS) using a configured SCM MS agent. For more information, see Understanding MS agents.
EST — Enroll client certificates through the Enrollment over Secure Transport (EST) protocol using a configured SCM EST endpoint. For more information, see Understanding EST endpoints.
SCEP — Enroll client certificates through the Simple Certificate Enrollment Protocol (SCEP) using a configured SCM SCEP endpoint. For more information, see Understanding SCEP endpoints.
REST API — Enroll client certificates through the SCM REST API using a configured SCM REST API endpoint. For more information, see Understanding REST endpoints.
Admin API — Enroll client certificates through the SCM Admin API using a configured SCM API Admin. For more information, see Understanding administrators.
CA connector — Enroll client certificates through a third-party CA using a configured SCM CA connector. For more information, see Understanding CA connectors.