Strata Copilot
    Next-Gen Trust Security
    : Tagging Certificates
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Start with the TLS Certificates Dashboard
    6. Tagging Certificates

    Next-Gen Trust Security

    Tagging Certificates

    Table of Contents

    Tagging Certificates

    In Next-Gen Trust Security, tags are user-defined keys or key:value pairs that can be assigned to certificates. Tags allow you to add customized meta information to certificates beyond just the certificate properties. This gives you more insight and control in managing your certificate inventory, and it provides the ability for 3rd party integrations to act based on the presence or absence of tags.
    Example: One example use of tags might be to use a team-name:purpose tagging convention. Following that convention, you might have tags such as infrastructure:loadbalancer and infrastructure:database.
    After you assign tags to certificates, you can filter your certificate inventory by these tags. This helps you quickly manage your inventory and organize certificate-related work.
    You can add tags to a certificate request, and you can add or edit tags for existing certificates. Administrators can centrally manage tags using the Configurations > Tags page.

    Before You Begin

    • Users with the Superuser roles can create, assign, and remove tags on certificates they have access to. Users with the Superuser roles can also filter the certificate inventory using tags. Other tagging tasks must be performed by an administrator.
    • Know at least one of the keys or key:value pairs you want to create as a tag.
    • Creating a key:value pair also creates a standalone tag for the key value.
    • A certificate can have a maximum of 20 tags assigned to it.

    Managing Tags Centrally

    Administrators can use the Configurations > Tags page to view and manage all tags in the system. Each tag lists its keys and values, along with the number of active (non-retired) certificates using that tag.
    Select a value in the Active Certificates column to view those certificates in the certificate inventory.
    If you have many tags, use the Search box to locate specific tags.
    To create or delete tags, see Editing tags.

    Assigning Tags to Existing Certificates

    1. Sign in to Next-Gen Trust Security.
    2. Click Insights > Certificate Inventory > Certificates.
    3. In the certificate inventory, select the certificates you want to tag.
    4. In the local menu bar, click Tag > Add Tags.
    5. Click in the Tags field and select existing tags, or enter a new tag or key:value pair.
      Note (When creating new tags):
      • Creating a key:value pair also creates a standalone tag for the key value.
      • Once created, tag names can't be changed or deleted using the UI.
      • You can create multiple values for the same key.
    6. Optional: To replace existing tags, select Replace current tag assignments.
    7. Click Save.
    After tags are applied, they appear in the Tags section of the certificate details and in the Tags column of the inventory. Tags are retained when you renew a certificate.

    Changing Tags on a Certificate

    Changing Tags on a Single Certificate

    1. Click Insights > Certificate Inventory > Certificates.
    2. Select the certificate whose tags you want to change.
    3. In the local menu bar, click Tag > Add Tags.
    4. Remove existing tags by selecting the delete icon next to each tag.
    5. Add or modify tag assignments.
    6. Click Save.

    Changing Tags on Multiple Certificates

    1. Click Insights > Certificate Inventory > Certificates.
    2. Select the certificates you want to update.
    3. In the local menu bar, click Tag > Add Tags.
    4. Add or select tag assignments.
    5. Optional: Select Replace current tag assignments to overwrite existing tags.
      Note:
      • If adding tags causes a certificate to exceed the 20-tag limit, that certificate is skipped.
      • If all selected certificates exceed the limit, the operation fails.
    6. Click Save.

    Clearing All Tags from a Certificate

    1. Click Insights > Certificate Inventory > Certificates.
    2. Select the certificates whose tags you want to clear.
    3. In the local menu bar, click Tag > Clear Tags.
    4. Confirm by clicking Clear.
    Clearing tags removes all tag assignments from the selected certificates but doesn't delete the tags themselves.

    Filtering Certificates by Tags

    After assigning tags, you can filter the certificate inventory by tag. Select Tag from the Add Criteria dropdown and choose the tags to filter on.
    Next-Gen Trust Security includes a system tag named Venafi, which can't be modified or removed.

    Viewing Tagging Events

    Tagging actions appear in the Next-Gen Trust Security event log. Use filters to view specific tagging-related events.
    Tagging eventAdd CriteriaEvent
    New tag createdEventTags Created
    Tag removed from systemEventTags Deleted
    All tags removed from a certificateEventCertificate All Tags Deleted
    Tags replaced on a certificateEventCertificate Tags Replaced
    Tag added to a certificateEventCertificate Tags Added
    Tag added to a certificate requestEventTags Assignment on Certificate Request

    © 2026 Palo Alto Networks, Inc. All rights reserved.