Certificate discovery
Find the certs you don't know about. Scan IP/CIDR ranges, watch CT logs for new issuances, check OCSP/CRL revocation status, detect drift, and transition discovered certs to managed lifecycle.
01Discovery sources
A discovery source is a recurring scan definition. Three types:
- Network scan — IP/CIDR ranges + ports. The worker opens TLS connections and captures the certificate chain.
- Hostname list — explicit
host:porttargets. Useful for FQDNs that don't appear in any CIDR you control. - CT log monitor — subscribes to Certificate Transparency logs and matches issuances against domain prefixes you own.
02Scheduling
Each source has its own cadence — once, daily, weekly, or a cron expression for finer control. The scheduler smears scan starts within the cadence window so you don't get a thundering herd at midnight UTC.
03Security findings
Every scan produces zero or more findings on each endpoint. Severity ranges from info to critical:
| Finding | Severity |
|---|---|
| Expired certificate | critical |
| Self-signed in production zone | high |
| Weak signature (SHA-1, MD5) | high |
| Deprecated TLS (1.0, 1.1) | high |
| Weak cipher (RC4, 3DES, EXPORT) | high |
| Expiring < 14 days, not managed | medium |
| PQC-vulnerable (RSA, classical ECC) | info |
| Mixed-case SAN duplicates | low |
04OCSP & CRL
For each discovered certificate the scanner extracts AIA OCSP responder URLs and CRL distribution points, then queries them. Revoked certs become a critical finding immediately.
CertAutoPilot caches OCSP responses for the validity period the responder advertises, so re-scans are cheap.
05Drift detection
On every recurring scan, CertAutoPilot diffs the captured certificate against the previous snapshot. A drift event fires when:
- The fingerprint changes (cert was replaced).
- The issuer changes (CA migration).
- The public key changes (key rotation).
- The SAN set changes.
Each drift event is its own audit entry, so you can see the full history per endpoint.
06PQC classification
Each discovered cert is classified for post-quantum readiness:
- vulnerable — RSA, classical ECC. Crackable by future cryptographically-relevant quantum computers.
- hybrid — combined classical + PQ algorithm. Transitional.
- pqc — pure post-quantum. ML-DSA, SLH-DSA.
The dashboard shows the inventory split. Most environments are 100% vulnerable today; the value is knowing where you'd start migrating.
07Managed transition
Discovered certificates are read-only by default. To bring one under management:
- From Discovery → Inventory, locate the unmanaged cert.
- Click Manage on that row (or open the cert detail page and use the same action) — opens the Manage wizard.
- Pick an issuer and a key type for the next renewal.
- Optionally attach distribution targets — typically the same endpoint that's already serving the cert.
- Confirm.
The next renewal goes through the standard lifecycle. Until then the discovered cert keeps appearing in scans, and CertAutoPilot will warn if its fingerprint diverges.