Certificate Compliance Report
The Compliance Report generates a formatted certificate inventory suitable for security audits, compliance reviews, and evidence packages. It is available from the Compliance item in the Certificate Monitoring navigation.
Summary
The summary bar at the top of the page shows the total count of monitors for your account broken down by status:
| Status | Description |
|---|---|
| Valid | Certificate is within its validity period and passed all checks. |
| Expiring Soon | Certificate is approaching an expiration alert threshold configured in your profile. |
| Expired | Certificate has passed its expiration date. |
| Error | One or more critical errors were detected on the most recent check. |
| Pending | Monitor has been added but not yet checked. |
Export Options
Audit Period
Select the date range for the audit period. The range is printed on the exported report as the review window label, and it also determines the historical check data included in each certificate block.
When a date range is selected, the PDF and CSV exports include a Monitoring History section for each monitor showing check activity over the period. See Monitoring History below for details.
Scope
By default the report includes all monitors on your account. If your monitors are organised with tags, you can narrow the scope by selecting one or more tags. A monitor is included if it has any of the selected tags (OR logic). Click All Monitors to reset back to the full account scope.
The label beside the Scope heading shows how many monitors will be included in the export.
Exporting
PDF Report
The PDF report is a formatted portrait document suitable for attaching directly to audit evidence packages. It consists of four sections:
- Title page: account name, audit period, generation timestamp, the name and email of the portal user who generated the report, and a unique report reference ID.
- Methodology, field definitions, and compliance coverage: a description of how checks are performed and what is verified on every check, definitions for all fields in the inventory, and a table of the compliance frameworks satisfied by the report.
- Executive summary: a status breakdown (Valid / Expiring Soon / Expired / Error / Pending), an expiry outlook showing how many certificates expire within 30, 31-60, and 61-90 days, a count of wildcard certificates, and when an audit period is selected, a summary of total checks performed, monitors with errors, and issues resolved vs. unresolved during the period.
- Certificate inventory: one block per monitor, grouped and sorted as follows:
- Errors: monitors with active critical errors, listed first.
- Expiring Soon / Expired: monitors approaching or past their expiration date.
- Valid: all remaining monitors with no issues.
Each certificate block includes:
| Field | Description |
|---|---|
| Common Name | Primary domain name from the certificate CN field. |
| Type | Validation level: EV (Extended Validation), OV (Organization Validated), or DV (Domain Validated), derived from certificate policy OIDs. |
| Issuer | Certificate Authority that issued the certificate. |
| Key | Public key type and size (e.g. EC 256 bits, RSA 2048 bits). |
| Algorithm | Signature algorithm (e.g. ecdsa-with-SHA384, sha256WithRSAEncryption). |
| Serial | Certificate serial number in hex. |
| Valid From | Date the certificate's validity period began. |
| Expires | Certificate expiration date with days remaining shown inline, colour-coded amber when expiring soon and red when expired. |
| Total Period | Total length of the certificate's validity window in days. |
| Last Checked | When the most recent check was performed. |
| Revocation | Result of the OCSP check: Passed, Failed, or Not checked. |
| Chain Trust | Whether the full certificate chain was verified against the system trust store or a configured private CA: Trusted, Untrusted, or Unknown. |
| Subject Alternative Names | All hostnames covered by the certificate, including wildcards. |
| Wildcard | Certificates where any SAN begins with *. are flagged with a Wildcard badge in the block header. |
Monitors in the Errors group also list each active error with a plain-language description. Errors are detected across all certificate chain levels (leaf, intermediate, and CA). Only critical errors (5xxxx codes) are shown.
Each page except the title page includes a footer with the report reference ID, a confidentiality notice, and the page number.
Monitoring History
When an audit period date range is selected, each certificate block includes a Monitoring History row showing check activity for that monitor over the period:
| Field | Description |
|---|---|
| Uptime % | Percentage of checks that completed with no critical errors. Colour-coded: green >= 99%, amber 95-99%, red < 95%. |
| Check count | Total checks performed and average checks per day over the actual data span. |
| Error Period | If errors occurred, the first and last dates errors were detected, with a count of affected checks. |
| Resolved | If errors occurred and the monitor later recovered, the date of the first clean check after the last recorded error. |
| Partial Coverage | If the monitor was not active for the full audit period, the actual data coverage dates and day count are shown in amber. |
The average checks per day is calculated against the monitor's actual data span rather than the full selected period, so a monitor added part-way through the audit window still shows an accurate check frequency.
CSV Export
The CSV export produces a flat file with one row per monitor, suitable for importing into GRC platforms (ServiceNow, Archer, Vanta, etc.) or spreadsheets.
The first rows of the file contain report metadata including the generation timestamp and audit period.
Standard columns included in every CSV export:
| Column | Description |
|---|---|
| Monitor ID | Unique monitor identifier. |
| Display Name | Monitor name as shown in the portal. |
| Host | Host and port being monitored. |
| Protocol | Connection protocol (HTTPS, SMTP, IMAP, etc.). |
| Common Name | Certificate CN field. |
| Issuer | Issuing Certificate Authority. |
| Certificate Type | EV, OV, DV, or blank if not determinable. |
| Serial Number | Certificate serial number in hex. |
| Valid From | Start of the certificate validity period. |
| Expiry Date | Certificate expiration date. |
| Days Remaining | Days until expiration at the time of the last check. |
| Key / Algorithm | Public key type and size, and signature algorithm. |
| SANs | Subject Alternative Names, comma-separated. |
| Revocation | OCSP revocation result: Passed, Failed, or Not checked. |
| Chain Trust | Chain trust result: Trusted, Untrusted, or Unknown. |
| Status | Current monitor status (Valid, Expiring Soon, Expired, Error, Pending). |
| Last Checked | Timestamp of the most recent check. |
When an audit period date range is selected, the following additional columns are appended:
| Column | Description |
|---|---|
| Total Checks | Number of checks performed during the period. |
| Clean Checks | Number of checks with no critical errors. |
| Error Checks | Number of checks where at least one critical error was detected. |
| Uptime % | Percentage of clean checks. |
| First Check | Date of the first check within the period. |
| Last Check | Date of the last check within the period. |
| Full Period Coverage | Yes if the monitor was active for the entire selected period; No otherwise. |
| First Error Date | Date of the first check with errors during the period (blank if none). |
| Last Error Date | Date of the last check with errors during the period (blank if none). |
| Resolved Date | Date of the first clean check after the last error (blank if unresolved or no errors). |
Compliance Coverage
The certificate inventory and lifecycle monitoring data in this report satisfies requirements across the following compliance frameworks:
| Framework | Control | Requirement |
|---|---|---|
| PCI DSS 4.0 | Requirement 4 | Protect account data in transit; valid TLS certificates, RSA >=2048-bit, SHA-256+, real-time certificate inventory. |
| HIPAA | Technical Safeguards | Encryption in transit using valid digital certificates; certificate and endpoint inventory with expiration tracking. |
| ISO 27001:2022 | Annex A | Cryptographic controls and certificate lifecycle management and monitoring. |
| NIST SP 800-53 | SC-12 / SC-17 | Cryptographic key establishment and management; approved CAs; unique certificate identification by serial number. |
| SOC 2 | Trust Services Criteria | Continuous monitoring, certificate availability tracking, and audit trail over assessment period. |