AQG Protect navigation↑

When you open AQG Protect, you’ll find three main tabs designed to facilitate comprehensive cryptographic management. These tabs provide tools for monitoring, policy enforcement, and configuration:

• Dashboard - Offers an overview of your cryptographic management posture and key metrics.
• Certificates - Provides tools for managing your certificates, including their lifecycle and rotation.
• Settings - Contains settings for AQG Protect.

The following sections provide details on each tab.

Dashboard↑

The Dashboard is where you gain a comprehensive view of your protected cryptographic assets. From here, you can monitor the health of all enrolled certificates and workloads, quickly spotting unusual activity, tracking key metrics, and investigating issues, such as alerts from an EDR solution.

On the Protect dashboard, you’ll find four main views:

• Workload usage - Displays cryptographic signature operations over the last 48 hours.
• Most active workloads - Identifies the most active workloads over the last 48 hours.
• Certificate expiration timeline - A graph visualizing certificate expiration trends, showing data for:
  • Certificates expired in the last 7 days.
  • Certificates expiring within 7 days.
  • Certificates expiring in the next 8-30 days.
• Certificate expiration summary - Provides a breakdown of certificate statuses into four categories:
  • Expired.
  • Expiring within 7 days.
  • Expiring in 8-30 days.
  • Expiring in 30+ days.

Certificates↑

The Certificates tab provides a centralized view of all certificates managed by AQtive Guard. It displays comprehensive details for each certificate, enabling you to monitor its status and apply management policies.

The following details are presented for each certificate:

• Certificate CName - The certificate’s Common Name (CNAME), which is typically the primary hostname or identity associated with the certificate.
• Fully qualified name - The complete and unambiguous name of the host or resource associated with the certificate. This name must be unique.
• Policy template - The policy template currently applied to the certificate.
• Time to live - The certificate’s remaining validity period.
• Protect setting - The specific protection settings applied by AQG Protect.
• State - The current lifecycle status of a certificate/key pair within AQG Protect. This will either be:
  • Active - the certificate has been enrolled and deployed.
  • Awaiting deployment - the certificate has been enrolled but not deployed.
  • Renewing - The certificate is currently in the process of being renewed.

At the end of each row, you can select Details for more information about the certificate, such as the:

• Certificate string - The complete, encoded cryptographic data of the certificate.
• Deployment configuration - The specific settings for how a certificate is used on its deployed system or application.
• Startup configuration - The parameters AQtive Guard Protect uses to manage a certificate when its client or agent initializes.

Settings↑

The Settings tab displays the current configuration for your AQG Protect infrastructure. Here, you’ll find details about the parameters governing your Protect environment, any specific Root Certificate Authority (CA) certificates it’s configured to use, and any cryptographic policies available to validate against your certificates.

There are 3 subtabs within Settings: Supported CAs, Configurations, and Algorithm policies.

Supported CAs↑

The Supported CAs tab shows any Root CA certificates configured within your Protect infrastructure. You can enable or disable supported Root CAs here.

Enabling ZeroSSL↑

To enable ZeroSSL as a Root CA, you’ll need to first generate External Account Binding (EAB) credentials from your ZeroSSL account.

To get your ZeroSSL credentials:

1. Log into your ZeroSSL Dashboard.
2. Navigate to the Developer section in the side menu.
3. Locate the EAB Credentials section and select Generate.

4. Copy the EAB KID and EAB HMAC Key.

   Note

   These credentials are only displayed once and are not stored in your ZeroSSL account. Ensure that you save them securely.

Refer to the ZeroSSL documentation for details.

To enable ZeroSSL in AQtive Guard:

1. Log into AQtive Guard as an admin and select Protect in the main menu.
2. Select Settings, then Supported CAs.
3. In the ZeroSSL tile, select the Disabled dropdown and then select Enable for Protect.
4. Enter the EAB KID and the EAB HMAC Key you generated from the ZeroSSL dashboard.
5. Select Enable.

Disabling ZeroSSL↑

To disable ZeroSSL:

1. Log into AQtive Guard as an admin and select Protect in the main menu.
2. Select Settings, then Supported CAs.
3. Locate the ZeroSSL tile.
4. Select Disable for Protect, then confirm by selecting Disable.

Configurations↑

The Configurations tab displays the parameters that define how your AQG Protect infrastructure is set up.

Algorithm policies↑

The Algorithm policies tab enables you to view and manage the cryptographic policies available for validation against your certificates. Here, you’ll see which policies a certificate is using or following, ensuring compliance and alignment with security standards. The following details are presented for each policy:

• Policy name - The name of the policy, including its NIST security level and bits of security.
• Signature algorithm - The cryptographic algorithm used for digital signatures within the policy.
• Hash algorithm - The hashing algorithm specified by the policy.
• Certificate count - The number of certificates currently associated with or following this policy.

Algorithm policy settings↑