Available Reports¶
The following reports are available in the Zaita platform. Reports are accessible under Reports in the main navigation. For information on generating reports, configuring parameters, and exporting results, see Generating Reports.
Certificate Lifecycle Reports¶
These reports provide visibility into the state and history of certificates managed by the platform.
Expiring Certificates¶
Lists all certificates that will expire within a configurable window. Results can be filtered by certificate authority, target system, or owner, and are sorted by days remaining in ascending order.
Parameters:
| Parameter | Options |
|---|---|
| Expiry window | 30, 60, or 90 days |
| Group by | Owner, Target System, or Issuer |
Use this report to: Identify certificates at risk of causing outages before they expire, prioritise renewal work, and verify that automated renewal is operating correctly.
| Column | Description |
|---|---|
| Common Name | The subject CN of the certificate |
| Issuing CA | The certificate authority that issued the certificate |
| Expiry Date | The date the certificate expires |
| Days Remaining | Number of days until expiry |
| Target System | The system the certificate is deployed to, if known |
| Renewal Method | Manual, ACME, or automated |
Expired Certificates¶
Lists all certificates that have already passed their expiry date and have not been renewed or revoked.
Use this report to: Identify gaps in lifecycle automation, investigate expired certificates still present in the inventory, and support compliance audits requiring evidence of certificate hygiene.
Certificate Inventory¶
A full inventory of all certificates across the platform, including certificates discovered externally and those provisioned through the platform. Provides a single point of record for the entire certificate estate.
Parameters:
| Parameter | Options |
|---|---|
| Filter by CA | Any configured certificate authority |
| Filter by algorithm | Key algorithm (for example, RSA, ECDSA) |
| Filter by status | Active, Revoked, or Expired |
| Filter by source | Managed (requested through the platform) or Discovered |
Use this report to: Gain a complete picture of certificates under management, export the full estate for audit submissions, and identify certificates that fall outside policy.
| Column | Description |
|---|---|
| Common Name | The subject CN of the certificate |
| Serial Number | The certificate serial number |
| Issuing CA | The certificate authority that issued the certificate |
| Algorithm | The signature algorithm (e.g. RSA 2048, ECDSA P-256) |
| Validity Period | Not Before and Not After dates |
| Days Remaining | Number of days until expiry |
| Source | Provisioned, Discovered (CT Log), or Discovered (Endpoint Scan) |
| Target System | The system the certificate is deployed to, if known |
Recently Issued Certificates¶
Lists certificates issued within a configurable time window, grouped by issuing CA or requesting user.
Parameters:
| Parameter | Options |
|---|---|
| Period | Last 7 days or last 30 days |
Use this report to: Track provisioning activity, detect unexpected issuance, and verify that certificates are being issued through approved workflows.
Revoked Certificates¶
Lists all certificates that have been revoked, including the revocation date, reason code, and the user or process that initiated the revocation.
Use this report to: Support incident response, satisfy audit requirements for certificate revocation evidence, and verify that revocation was correctly recorded.
| Revocation Reason | Description |
|---|---|
| Key Compromise | The private key was or is suspected to have been compromised |
| CA Compromise | The issuing CA was or is suspected to have been compromised |
| Affiliation Changed | The certificate subject's affiliation with the organisation changed |
| Superseded | The certificate was replaced by a new certificate |
| Cessation of Operation | The subject no longer requires the certificate |
| Unspecified | No specific reason was provided |
Renewal History¶
Shows certificates that have been renewed within the selected date range, including the previous certificate's expiry date, the new certificate's expiry date, and the renewal method used.
Use this report to: Verify renewal automation is functioning correctly, audit the renewal history of specific certificates, and demonstrate compliance with certificate renewal policies.
Security & Compliance Reports¶
These reports surface authentication events, access violations, and administrative actions for security monitoring and compliance purposes.
Failed Authentication Attempts¶
Lists all failed authentication events, including login failures, SSO errors, and API authentication failures for machine accounts. Grouped by user or machine account, with source IP addresses.
Use this report to: Detect brute-force attempts, investigate suspicious access patterns, and identify accounts that may be targeted or compromised.
| Column | Description |
|---|---|
| Timestamp | Date and time of the failed attempt |
| Actor | The user account or machine account that attempted authentication |
| Method | Password, SSO, API key, or federated identity |
| Source IP | The originating IP address |
| Failure Reason | Invalid credentials, account locked, IP allowlist violation, etc. |
Permission Denied Events¶
Lists all access control violations — requests that were blocked because the acting user or machine account did not have the required permission.
Use this report to: Identify misconfigured roles, investigate potential privilege escalation attempts, and verify that access controls are enforced correctly.
User Activity Audit¶
A comprehensive log of actions taken by named users across the platform, including certificate operations, administrative changes, and resource access. Filterable by user, action type, and date range.
Parameters:
| Parameter | Description |
|---|---|
| Start date | Beginning of the period to include |
| End date | End of the period to include |
| User | Filter to a specific user by email address |
| Action type | Filter by a specific category of action |
Use this report to: Investigate the actions of a specific user during an incident, demonstrate to auditors that administrative activity is logged, and review access to sensitive resources.
Machine Account Activity¶
Lists all activity by machine accounts — service accounts and API integrations — including authentication events, certificate requests, and IP allowlist enforcement events.
Use this report to: Audit automated systems interacting with the platform, detect unusual API activity, and verify that machine accounts are operating within expected parameters.
Administrative Changes¶
A log of all administrative actions taken across the platform, including user creation and deactivation, role assignments, CA configuration changes, policy updates, and system settings modifications.
Use this report to: Maintain a change record for compliance purposes, investigate configuration changes that preceded an incident, and satisfy audit requirements for administrative activity logging.
| Column | Description |
|---|---|
| Timestamp | Date and time of the change |
| Actor | The administrator who made the change |
| Action | The type of administrative action |
| Resource | The resource that was created, modified, or deleted |
| Previous Value | The value before the change, where applicable |
| New Value | The value after the change, where applicable |
PKI Health Reports¶
These reports provide visibility into the state of the platform's PKI infrastructure and the cryptographic standards applied to issued certificates.
CA Certificate Status¶
Shows the validity, expiry, and trust chain status of all root and intermediate certificate authorities configured in the platform. Flags any CAs approaching renewal thresholds.
Use this report to: Monitor the health of the PKI hierarchy, ensure CA certificates are renewed before expiry, and verify trust chain integrity.
| Column | Description |
|---|---|
| CA Name | The display name of the certificate authority |
| Type | Root or Intermediate |
| Expiry Date | The date the CA certificate expires |
| Days Remaining | Number of days until the CA certificate expires |
| Status | Active, Expiring Soon, or Expired |
| Parent CA | The issuing CA for intermediate CAs |
Certificate Authority Inventory¶
A full listing of all certificate authorities configured in the platform, including their algorithm, key size, policy assignments, and subordinate CA relationships.
Use this report to: Audit the PKI configuration, verify that CAs are configured in accordance with policy, and document the PKI hierarchy for compliance submissions.
Weak Cryptography Report¶
Identifies certificates in the inventory that use deprecated or non-compliant cryptographic configurations, including:
- Signature algorithms below the organisation's minimum standard (e.g. SHA-1)
- RSA key sizes below the configured minimum (e.g. less than 2048 bits)
- Validity periods that exceed the configured maximum
- Certificates issued by an untrusted or unrecognised CA
Use this report to: Enforce cryptographic hygiene across the certificate estate, identify certificates that need immediate replacement, and demonstrate compliance with cryptographic standards policies.
Operational Reports¶
These reports provide visibility into discovery scan results, certificate deployment operations, and ACME protocol usage.
Certificate Discovery Summary¶
Summarises the results of certificate discovery scans, including newly discovered certificates, certificates no longer present at a scanned endpoint, and certificates flagged as unmanaged — not provisioned through the platform.
Use this report to: Track scan coverage over time, investigate newly discovered certificates that were not provisioned through the platform, and monitor the completeness of the certificate inventory.
| Column | Description |
|---|---|
| Scan Date | The date and time the scan completed |
| Scan Type | CT Log, Endpoint Scan, or Bridge-Based |
| Certificates Found | Total certificates identified in this scan |
| New Certificates | Certificates not previously in the inventory |
| Unmanaged Certificates | Certificates not provisioned through the platform |
| Removed Certificates | Certificates no longer present at a previously scanned endpoint |
Deployment Status Report¶
Shows the installation status of certificates across target systems, including successful installations, pending deployments, and failed deployment jobs.
Use this report to: Identify target systems where certificate deployment has failed or is pending, verify that renewed certificates have been installed, and investigate deployment failures.
| Status | Description |
|---|---|
| Installed | The certificate is confirmed as deployed to the target system |
| Pending | A deployment job has been queued but not yet completed |
| Failed | The deployment job completed with an error |
| Not Deployed | The certificate exists in the inventory but is not associated with a target system |
ACME Protocol Usage¶
Lists certificates issued via the ACME protocol, including the ACME client identifier, challenge type used, domain, and issuance timestamp. Grouped by ACME account, domain, or issuing CA.
Use this report to: Track automated issuance activity through ACME, identify accounts or clients issuing unexpected certificates, and audit ACME usage for compliance purposes.
Management Summary Reports¶
These reports provide aggregated, high-level views suitable for operational reviews, management briefings, and board-level compliance reporting.
Platform Activity Summary¶
A consolidated summary of platform activity over a selected period, including the total number of certificates issued, renewed, revoked, expired, and discovered. Presented as both a data table and a trend chart.
Parameters:
| Parameter | Options |
|---|---|
| Period | Weekly, Monthly, or Quarterly |
Use this report to: Track operational throughput at a glance, report on CLM programme progress, and identify periods of unusual activity.
Compliance Posture Report¶
An aggregated view of the platform's current compliance state, combining data from multiple report categories:
- Certificates expiring within 30 days
- Certificates using weak cryptography
- Unmanaged certificates discovered outside the provisioning workflow
- CA certificates approaching expiry
- Outstanding failed deployment jobs
- Open permission denied events from the last 30 days
Use this report to: Assess overall compliance health in a single view, produce a concise audit-ready summary, and track improvement in the certificate estate over time.