> ## Documentation Index
> Fetch the complete documentation index at: https://docs.certgovernance.app/llms.txt
> Use this file to discover all available pages before exploring further.

# Inventory

> Discover, classify, and govern all certificates across your organization from a single view.

The Inventory page (`/inventory`) provides a unified view of every certificate CertForge knows about — whether issued through CertForge, discovered via CT log scanning, or imported from a CA connector. It is the primary place for classifying unreviewed certificates and ensuring everything in your environment has an assigned governance posture.

## How certificates appear in Inventory

Certificates enter Inventory from multiple sources:

| Source               | How                                                                                 |
| -------------------- | ----------------------------------------------------------------------------------- |
| **CT Log**           | Automatic scans of public certificate transparency logs for your configured domains |
| **TLS Scan**         | Active probing of hosts to retrieve live certificates                               |
| **CA Connector**     | Import from DigiCert, Entrust, or other enterprise CAs via connector                |
| **CertForge Issued** | Certificates issued directly through CertForge approval workflows                   |

## Governance statuses

Every certificate in Inventory carries a governance status that reflects how it is being managed.

| Status                 | Meaning                                                                        |
| ---------------------- | ------------------------------------------------------------------------------ |
| **Governed**           | Covered by a Domain Trust Profile and subject to policy enforcement            |
| **Monitored**          | Acknowledged and watched for expiry, but no active policy assigned             |
| **Externally Managed** | Owned by another system; CertForge tracks it but does not manage renewal       |
| **Unmanaged**          | Discovered but not yet reviewed or classified                                  |
| **Ignored**            | Dismissed from the active view; will not appear in dashboard counts or reports |

The **Unmanaged** count on the dashboard reflects certificates that need attention — your goal is to drive this to zero by classifying everything.

## Filtering and search

The stat bar at the top of Inventory lets you filter to a governance status with one click: Governed, Monitored, Unmanaged, Externally Managed. The search field filters by domain name. Use these together to quickly find the certificates you want to act on.

## Bulk actions

Select one or more certificates using the checkboxes to reveal the bulk action bar. Available actions:

| Action                      | Effect                                                                                 |
| --------------------------- | -------------------------------------------------------------------------------------- |
| **Mark Monitored**          | Sets governance status to Monitored                                                    |
| **Unmonitor**               | Returns status to Unmanaged                                                            |
| **Mark External**           | Sets status to Externally Managed                                                      |
| **Ignore**                  | Sets status to Ignored; removes from active view                                       |
| **Assign to Trust Profile** | Links selected certs to a DTP (status becomes Governed)                                |
| **Assign Owner**            | Attaches an owner email address to selected certs                                      |
| **Assign to Application**   | Associates selected certs with an Application for coverage tracking                    |
| **Renew →**                 | Queues an approval request to renew selected certs under their governing Trust Profile |

## Renewing from Inventory

The **Renew →** action is designed for migrating or renewing certificates that are already governed by a Trust Profile. When you select certificates and click Renew:

1. If all selected certificates share the same governing Trust Profile, that profile is automatically selected in the Trust Profile dropdown.
2. If selected certs have different profiles (or none), select the profile manually before clicking Renew.
3. CertForge creates an approval request for each selected certificate. Those requests appear in **Approvals** for review and decision.
4. Once approved, the executor issues new certificates under the selected profile.

<Tip>
  Use Inventory filters to isolate a specific Trust Profile's certs before selecting — this makes it easy to bulk-renew everything governed by a given profile.
</Tip>

## By Application view

Toggle to **By Application** view to see the same certificates grouped by their assigned Application. This view shows coverage status per application and makes it easy to identify which cert groups are unprotected. Certificates not assigned to any application appear at the bottom under "Unassigned."

## Policy Suggestions (dashboard)

When the Inventory contains two or more unreviewed certificates sharing the same base domain, the **Dashboard** displays a **Policy Suggestions** card. Each suggestion groups unreviewed certs by base domain and indicates whether a matching Trust Profile already exists.

Use the **Assign to Trust Profile →** button on a suggestion to immediately classify those certificates under an existing profile, or **Review →** to open the filtered Inventory view and classify them manually.

Suggestions disappear automatically once all certs for that base domain are classified (no longer `unreviewed`).
