Discovery sources
A discovery source tells CertAutoPilot where to look for certificates that are not yet managed. Two source types today: network scan (connect to each host:port, handshake, capture the cert) and CT log monitor (subscribe to Certificate Transparency logs and surface certs for your domain prefixes). Both feed into the same inventory.
01Source types
| Type | Input | Use case |
|---|---|---|
network_scan | CIDR ranges, hostname lists, port lists | Known infrastructure — discover what's running HTTPS. |
ct_log | Domain prefixes, CT log URLs | Shadow IT — catch a cert issued outside your process. |
02Network scan
- Discovery → Sources → New → type Network scan.
-
Fields:
- CIDRs:
10.0.0.0/24,10.1.0.0/16. One per line. - Hostnames: optional list of DNS names to probe in addition to CIDRs. Handy when your infra lives on cloud LBs with no stable IP.
- Ports: default
443, 8443. Anything TLS-speaking works (LDAPS 636, IMAPS 993, SMTPS 465, MQTTS 8883). - Schedule: Manual, or cron-like (
hourly,daily 03:00 UTC, custom cron). - Timeout per host: default 5 s. Shorter for tight networks, longer for WAN scans.
- Concurrency: default 8 simultaneous handshakes. Capped per-worker by
worker.max_concurrent_discoveryin config.
- CIDRs:
- Save. The first run starts immediately if Trigger on save is ticked.
Network scans respect the outbound network policy — cloud-metadata addresses and link-local blocks apply. Scanning 169.254.0.0/16 is refused even if you list it explicitly. This is intentional.
03CT log monitor
- Discovery → Sources → New → type CT log.
-
Fields:
- Domain prefixes:
example.com,example.org. Matches the domain apex and every subdomain. - Log URL: defaults to a curated set of major CT logs (Google Argon, Cloudflare Nimbus, Let's Encrypt Oak). Override if you want to watch a private CT log.
- Poll interval: default 1 h. Shorter catches new certs sooner at the cost of API calls.
- Domain prefixes:
- Save. The monitor reads log entries since its last checkpoint and extracts any cert matching a prefix.
CT monitoring catches certificates issued by other teams for domains you own — extremely useful for shadow IT audits.
04Execution model
- A source is executed by a
discovery_executejob on the main worker queue. - Per-source concurrency is capped by worker config; per-worker concurrency is capped by
worker.max_concurrent_discovery. - The scheduler sweeps active sources on their configured cadence; manual triggers bypass the schedule.
- Partial failures (some hosts unreachable) do not fail the whole run — they surface as findings on the affected endpoints.
05What is stored
Each discovered cert populates discovered_certificates with:
- Subject, SANs, issuer, validity window.
- SHA-256 fingerprint.
- TLS handshake cipher suite (for cipher-suite-level findings).
- Endpoint list (host:port where seen).
- PQC classification — see PQC readiness.
06Re-runs and drift
A second scan of the same network either confirms existing entries (no change) or records a drift event: a host that previously served cert A now serves cert B. Drifts appear as findings with a per-endpoint change history.
07Troubleshooting
Scan is very slow over WAN
Drop Timeout per host to 2 s; unreachable hosts will be marked offline faster rather than waiting out the default 5 s.
Scan result: network policy block
You listed a range CertAutoPilot refuses to scan (metadata IP, link-local). Adjust the CIDR.
CT monitor lags by hours
Poll interval is an hour by default and CT log incorporation itself takes time — end-to-end lag up to 2 hours is normal. Lower the interval to minutes if you need faster detection.