Review Your Certificates

You have to run new vulnerability scans on your hosts with the following criteria.

- The scan must be run using version 7.12 or later. We added capabilities in version 7.12 to gather and store certificate information for your account, allowing you to search and review your certificates. (To see SSL grades, you must run scans using version 8.5 or later.)

- The scan must include SSL certificate QIDs. These QIDs are included automatically if you run a complete vulnerability scan. Make sure to include them if you run a custom scan with only a select number of QIDs - just add a search list with the SSL certificate QIDs to your option profile. How do I find these QIDs? Just search the KnowledgeBase with these criteria: title "SSL Certificate" and category "General remote services".

- (Optional) Enable the Additional Certificate Detection option in your option profile to find certificates in more locations on your hosts (not just ports). For example, find certificates in locations like Apache, Tomcat, Java KeyStore and Windows IIS.

Go to VM/VMDR > Assets > Certificates. Newly discovered certificates are added automatically to the inventory as new scan results become available in your account. Use the dashboard options at the top of the page to get a breakdown of your certificates - by expiration date, key size, certificate authority, and self-signed certificates.

The New Data Security Model must be enabled for the subscription in order for you to see certificates for your hosts. A Manager can enable the New Data Security Model by going to Users > Setup > Security.

You may not see certificates for these reasons: 1) you haven't run any vulnerability scans using version 7.12 or later, 2) you did run scans but you did not include SSL certificate QIDs, 3) your scan results have not yet been processed, and 4) no certificates were found for your scanned hosts.

(Available only when the SSL Labs Grade feature is enabled for your subscription.) SSL Labs has been integrated with Qualys VM to provide grades for your certificates. When enabled, you’ll see a letter grade (A+, A, A-, B, C, D, E, F, T, M, NA) for each certificate on your certificates list. This grade is intended to help you identify and prioritize certificates with SSL configuration issues. Learn more

Use Heartbleed filters to find hosts affected by the Heartbleed bug. Select Heartbleed-All to see all affected hosts (active and fixed). Select Heartbleed-Active to see only hosts that are currently vulnerable. Learn more

Yes, you can add the certificate fingerprint to your certificates list. Click on the Tools menu (above the list on the right side), go to Columns and select Certificate Fingerprint.