4.2. Searching for Certificates (Advanced)

Search for certificates by more complex criteria than serial number using the advanced search form. To perform an advanced search for certificates:
  1. Open the Certificate Manager agent services page. The agent must submit the proper client certificate to access this page.
  2. Click Search for Certificates to display the Search for Certificates form to specify search criteria.
  3. To search by particular criteria, use one or more of the sections of the Search for Certificates form. To use a section, select the check box, then fill in any necessary information.
    • Serial Number Range. Finds a certificate with a specific serial number or lists all certificates within a range of serial numbers.
      • To find a certificate with a specific serial number, enter the serial number in both the upper limit and lower limit fields in either decimal or hexadecimal. Use 0x to indicate the beginning of a hexadecimal number, such as 0x2A. Serial numbers are displayed in hexadecimal form in the Search Results and Details pages.
      • To find all certificates within a range of serial numbers, enter the upper and lower limits of the serial number range in decimal or hexadecimal. Leaving either the lower limit or upper limit field blank returns all certificates before or after the number specified.
    • Status. Selects certificates by their status. A certificate has one of the following status codes:
      • Valid. A valid certificate has been issued, its validity period has begun but not ended, and it has not been revoked.
      • Invalid. An invalid certificate has been issued, but its validity period has not yet begun.
      • Revoked. The certificate has been revoked.
      • Expired. An expired certificate has passed the end of its validity period.
      • Revoked and Expired. The certificate has passed its validity period and been revoked.
    • Subject Name. Lists certificates belonging to a particular owner; it is possible to use wildcards in this field.

      NOTE

      Certificate System certificate request forms support all UTF-8 characters for the common name, organizational unit, and requester name fields. The common name and organization unit fields are included in the subject name of the certificate. This means that the searches for subject names support UTF-8 characters.
      This support does not include supporting internationalized domain names.
    • Revocation Information. Lists certificates that have been revoked during a particular period, by a particular agent, or for a particular reason. For example, an agent can list all certificates revoked between July 2005 and April 2006 or all certificates revoked by the agent with the username admin.
      • To list certificates revoked within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
      • To list certificates revoked by a particular agent, enter the name of the agent; it is possible to use wildcards in this field.
      • To list certificates revoked for a specific reason, select the revocation reasons from the list.
    • Issuing Information. Lists certificates that have been issued during a particular period or by a particular agent. For example, an agent can list all certificates issued between July 2005 and April 2006 or all certificates issued by the agent with the username jsmith.
      • To list certificates issued within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
      • To list certificates issued by a particular agent, enter the name of the agent; it is possible to use wildcards in this field.
      • To list certificates enrolled through a specific profile, enter the name of the profile.
    • Dates of Validity. List certificates that become effective or expire during a particular period. For example, an agent can list all certificates that became valid on June 1, 2003, or that expired between January 1, 2006, and June 1, 2006.
      It is also possible to list certificates that have a validity period of a certain length of time, such as all certificates that are valid for less than one month.
      • To list certificates that become effective or expire within a time period, select the day, month, and year from the drop-down lists to identify the beginning and end of the period.
      • To list certificates that have a validity period of a certain length in time, select Not greater than or Not less than from the drop-down list, enter a number, and select a time unit from the drop-down list: days, weeks, months, or years.
    • Basic Constraints. Shows CA certificates that are based on the Basic Constraints extension.
    • Type. Lists certain types of certificates, such as all certificates for subordinate CAs. This search works only for certificates containing the Netscape Certificate Type extension, which stores type information. For each type, choose from the drop-down list to find certificates where that type is On, Off, or Do Not Care.
  4. To find a certificate with a specific subject name, use the Subject Name section. Select the check box, then enter the subject name criteria. Enter values for the included search criteria and leave the others blank.
    The standard tags or components are as follows:
    • Email address. Narrows the search by email address.
    • Common name. Finds certificates associated with a specific person or server.
    • UserID. Searches certificates by the user ID for the person to whom the certificate belongs.
    • Organization unit. Narrows the search to a specific division, department, or unit within an organization.
    • Organization. Narrows the search by organization.
    • Locality. Narrows the search by locality, such as the city.
    • State. Narrows the search by state or province.
    • Country. Narrows the search by country; use the two-letter country code, such as US.

    NOTE

    Certificate System certificate request forms support all UTF-8 characters for the common name and organizational unit fields. The common name and organization unit fields are included in the subject name of the certificate. This means that the searches for subject names or those elements in the subject name support UTF-8 characters.
    This support does not include supporting internationalized domain names, such as in email addresses.
  5. After entering the field values for the server to match, specify the type of search to perform:
    • Exact searches for certificate subject names match the exact components specified and contain none of the components left blank. Wildcards cannot be used in this type of search.
    • Partial searches for certificate subject names match the specified components, but the returned certificates may also contain values in components that were left blank. Wildcard patterns can be used in this type of search by using a question mark (?) to match an arbitrary single character and an asterisk (*) to match an arbitrary string of characters.

      NOTE

      Placing a single asterisk in a search field means that the component must be in the certificate's subject name but may have any value. Leave the field blank if it does not matter if the field is present.
  6. After entering the search criteria, scroll to the bottom of the form, and enter the number of certificates matching the specified criteria that should be returned.
    Setting the number of certificates to be returned returns the first certificates found that match the search criteria up to that number. It is also possible to put a time limit on the search in seconds.
  7. Click Find.
  8. The Search Results form appears, showing a list of the certificates that match the search criteria. Select a certificate in the list to examine it in more detail. For more information, refer to Section 4.3, “Examining Certificate Details”.