π Certificate Discovery
Certificate Discovery is a powerful feature of SecTrail CM that automatically finds all SSL/TLS certificates in your infrastructure and adds them to inventory.
Overviewβ
Not knowing where certificates are used in organizations poses a major security risk. Expired or forgotten certificates can lead to service interruptions and security vulnerabilities.
Key Featuresβ
SecTrail CM's Certificate Discovery feature simplifies certificate management:
| Feature | Description |
|---|---|
| π Automatic Discovery | Automatically finds all certificates in your infrastructure |
| π Centralized Inventory | Collects all certificates in a single centralized system |
| π Regular Scanning | Keeps inventory up-to-date with scheduled scans |
| β‘ Fast Scanning | Scans large networks quickly and efficiently |
| π Multiple Methods | Comprehensive discovery with network scanning and CT Logs |
Discovery Methodsβ
SecTrail CM offers two powerful discovery methods suitable for different scenarios:
1. Network Scanningβ
Network Scanning detects SSL/TLS certificates on devices in the network by scanning specified IP ranges or subnets.
How Does it Work?β
The Network Scanning method detects active SSL/TLS connections by scanning IP ranges and ports you specify. Each certificate found is automatically added to inventory, and the scan is repeated at configured intervals to discover new certificates.
Use Casesβ
The Network Scanning method is used in the following scenarios:
- π’ Server Infrastructure - Regularly scan your entire server infrastructure
- ποΈ Datacenter Scanning - Scan a specific datacenter or subnet
- π New Servers - Automatically discover newly added servers
- π Port-based Scanning - Find services running on non-standard ports
2. Certificate Transparency Logs (CT Logs)β
Certificate Transparency Logs are records of publicly issued certificates. Certificate Authorities (CAs) register the certificates they issue in these logs. This method is used for domain-based certificate discovery.
How Does it Work?β
The Certificate Transparency Logs method scans public certificate authority (CA) records for the domain you specify. This way, you can discover all public certificates belonging to your organization that you may not be aware of. SecTrail CM uses trusted CT Log services like crt.sh and SSLMate.
Advantagesβ
| Advantage | Description |
|---|---|
| π Public Certificates | Finds all publicly issued certificates |
| π Unknown Certificates | Discovers certificates belonging to your organization that you didn't know about |
| π₯ Shadow IT | Detects certificates obtained by unauthorized departments |
| π·οΈ Subdomain Discovery | Finds all subdomain certificates linked to the main domain |
Use Casesβ
The Certificate Transparency Logs method is used in the following scenarios:
- π Public Certificates - Discover all your internet-facing certificates
- π’ Organization Inventory - Scan all domains belonging to the organization
- π€ Shadow IT Detection - Find unauthorized certificates
- π Subdomain Monitoring - Track all subdomain certificates
3. Discovery from Integration Systemsβ
Integration Discovery automatically discovers certificates in these systems by directly integrating with existing systems in your infrastructure (load balancer, web server, keystore, etc.). It provides real-time certificate inventory through API or protocol-based connections.
How Does it Work?β
SecTrail CM automatically discovers all certificates in integrated systems by establishing secure API or protocol connections. After configuring integration, the system automatically scans at specified intervals and adds newly added or updated certificates to inventory.
Supported Integration Systemsβ
SecTrail CM can perform automatic certificate discovery from the following systems:
- F5 BIG-IP β’ Citrix NetScaler β’ FortiWeb
- NGINX / NGINX Plus β’ Palo Alto Networks
- Apache β’ IIS β’ Apache Tomcat
- Windows TrustStore β’ Java Keystore (JKS)
- IBM DataPower β’ HashiCorp Vault
Use Casesβ
Integration Discovery is used in the following scenarios:
- π§ Configuration Management - Centrally manage certificates on load balancers and web servers
- π Keystore Monitoring - Track certificates in Java Keystore and Windows TrustStore
- π Automatic Synchronization - Instantly capture changes in production systems
- π¦ Secret Management - Discover certificates in secret management systems like HashiCorp Vault
Visit the Integrations page to set up integrations with supported systems.
Recommended Approachesβ
| Recommendation | Description |
|---|---|
| β° Regular Scanning | Quickly capture new certificates by performing daily automatic scans |
| π§ͺ Test Environment | Test in a test environment before moving to production |
| β±οΈ Proper Scheduling | Run scans outside business hours (at night) |
Considerationsβ
| Topic | Description |
|---|---|
| π¦ Network Load | Avoid large network scans during peak hours |
| π Traffic Monitoring | Monitor network traffic during scanning |
| π‘οΈ Firewall Rules | Ensure the ports SecTrail CM will scan are open |
| β²οΈ Rate Limiting | Don't open too many connections simultaneously, pay attention to rate limiting |
| π Permissions | Obtain necessary permissions for networks you will scan |
Discovery Operationsβ
SecTrail CM offers both scheduled automatic discovery and instant manual discovery:
Automatic Discovery (Scheduled)β
You can create discovery tasks that run automatically at specified intervals (daily or weekly). This way, new certificates in your infrastructure are continuously discovered and your inventory stays up-to-date.
Manual Discovery (Instant)β
You can perform one-time quick scans without creating scheduled tasks. Useful when you add a new server or need urgent verification.
Get Startedβ
- π User Guide: Discovery - CA integration and configuration steps