Document Agent v7.80 windows_certificate tag flags (DataDog#23774)

mrafi97 · drichards-87 · NouemanKHAL · web-flow · commit 6a7467a64c8f · 2026-06-12T16:07:15.000+02:00
* Document Agent v7.80 windows_certificate tag flags

Expand the Tags section of the windows_certificate README to describe the
six opt-in flags added in Agent v7.80 (datadog-agent#49740) and the tags
each flag emits.

* Update windows_certificate/README.md

Co-authored-by: DeForest Richards &lt;56796055+drichards-87@users.noreply.github.com&gt;

---------

Co-authored-by: DeForest Richards &lt;56796055+drichards-87@users.noreply.github.com&gt;
Co-authored-by: NouemanKHAL &lt;noueman.khalikine@datadoghq.com&gt;
diff --git a/windows_certificate/README.md b/windows_certificate/README.md
@@ -72,6 +72,26 @@ The `policy_validation_flags` [suppress specific validation errors][12] that may
 
 The integration automatically tags all metrics and service checks with the name of the store in the `certificate_store:<STORE>` tag. Certificate metrics and service checks are tagged with the certificate's subjects, thumbprints and serial numbers. CRL metrics and service checks are tagged with the CRL's issuer and thumbprint.
 
+Beginning with Agent v7.80, six opt-in flags expose additional certificate metadata as tags on per-certificate metrics and service checks. Each flag defaults to `false`. Set the value to `true` in your instance configuration to emit the corresponding tags.
+
+| Flag | Tags emitted |
+| --- | --- |
+| `certificate_template_tag` | `certificate_template`, `certificate_template_oid`, `certificate_template_major_version`, `certificate_template_minor_version` |
+| `enhanced_key_usage_tag` | `enhanced_key_usage` (one tag per EKU OID; well-known OIDs use short names) |
+| `friendly_name_tag` | `friendly_name` |
+| `subject_alternative_names_tag` | `subject_alt_name_dns`, `subject_alt_name_ip`, `subject_alt_name_email`, `subject_alt_name_uri` |
+| `issuer_tag` | `issuer_CN`, `issuer_O`, `issuer_OU`, and other issuer Distinguished Name components when present |
+| `signature_algorithm_tag` | `signature_algorithm` |
+
+Example configuration that enables the issuer and signature algorithm tags:
+
+```yaml
+instances:
+  - certificate_store: ROOT
+    issuer_tag: true
+    signature_algorithm_tag: true
+```
+
 ### Validation
 
 [Run the Agent's status subcommand][6] and look for `windows_certificate` under the Checks section.
