CertAutoPilot logo CertAutoPilot
Get started

Discovery inventory

The inventory is the union of every certificate discovered across your configured sources, de-duplicated by SHA-256 fingerprint. Filter, sort, cross-reference with managed certs, and export — the inventory is where you answer "what certs do we actually have?"

01Default columns

  • Subject CN and first two SANs (the rest show on hover).
  • Issuer (CN of the issuing CA).
  • Valid from / to.
  • Days remaining — colour-coded (red < 7, amber < 30, green otherwise).
  • PQC statusvulnerable, transition, ready, or unknown. See PQC readiness.
  • Endpoints — count of host:port tuples where the cert was seen.
  • Managed — linked to a managed certificate, or shadow.

02Filters

  • Expiry window — <7, <30, <90, <365 days, expired.
  • PQC status.
  • Issuer — pick one or multiple.
  • Key algorithm — RSA-2048 / RSA-3072 / RSA-4096 / ECDSA-P256 / ECDSA-P384 / ECDSA-P521 / unknown.
  • Managed statusmanaged, shadow, imported.
  • Source — restrict to a specific discovery source.
  • Free-text search — matches CN, SANs, issuer CN, endpoint.

03Cert detail

Clicking a row opens the detail panel:

  • Full subject + SANs + issuer chain.
  • PEM export (public material only — private keys are not in inventory).
  • Endpoint list with per-endpoint last-seen timestamps and cipher-suite observations.
  • Change history — if the same endpoint previously served a different cert, the transitions are recorded.
  • Findings — any open security findings tied to this cert.
  • Manage action — promotes the cert to a managed certificate via Manage wizard.

04Managed vs shadow

  • Managed: the cert is also in certificates — CertAutoPilot issued or explicitly imported it.
  • Shadow: the cert exists in the wild but CertAutoPilot doesn't own its lifecycle. Shadow certs are the top candidates for Manage import or for a conversation with the team that owns them.
  • Imported: a previously-shadow cert has been adopted via the Manage wizard. From now on, renewal and distribution flow through CertAutoPilot.

05Stats widget

At the top of the inventory, summary tiles show:

  • Total discovered certs.
  • Split by PQC status — a pie chart of vulnerable / transition / ready.
  • Split by issuer — top 5 CAs.
  • Expiring this month / this quarter.

These are the same data the 47-day readiness dashboard consumes, so inventory and dashboard always agree.

06Export

Click Export on any filtered view:

  • CSV — flat columns, ready for spreadsheet or BI tools.
  • JSON — full structure with endpoint list and chain.

Exports stream server-side; no buffer → no memory blow-up on a 50 k-cert inventory.

07API

GET /api/v1/projects/{projectId}/discovery/certificates
    ?expiry_within_days=30
    &pqc_status=vulnerable
    &managed=false
    &limit=200
    &cursor=...

Returns cursor-paginated discovered certs. next_cursor points to the next page. See API reference.

08Retention

Discovered certs are retained indefinitely by default. Endpoints that stop appearing in later scans keep their history — the last seen timestamp ages naturally. If your compliance retention is shorter, run periodic cleanup on discovered_certificates with a last_seen cutoff.