Certificate discovery
Find the certs you don't know about. Scan IP/CIDR ranges, watch CT logs for new issuances, check OCSP/CRL revocation status, detect drift, and transition discovered certs to managed lifecycle.
Discovery sources
A discovery source tells CertAutoPilot where to look for unmanaged certificates. Source types: CIDR/IP scan, hostname list, DNS zone transfer (AXFR), and CT log monitor. All feed one inventory. Network scans are SNI-aware, so certificates behind SNI-routed frontends are discovered too.
AXFR (DNS zone transfer) discovery
Name-first discovery for SNI-routed frontends. Pull every host from your internal DNS zones via zone transfer (AXFR), then probe each IP with its own hostname as SNI so every distinct certificate behind an ingress, content switch, or virtual-host load balancer is discovered.
Discovery inventory
The inventory is the union of every certificate discovered across your configured sources, de-duplicated by SHA-256 fingerprint. Filter, sort, cross-reference with managed certs, and export โ the inventory is where you answer "what certs do we actually have?"
Discovery findings
Findings are the actionable output of discovery. Every scan produces zero or more findings per endpoint: weak ciphers, deprecated TLS, expiring certificates, self-signed, PQC vulnerabilities. Each has a severity, a suggested remediation, and a status you can advance (open โ triaged โ resolved).
Manage wizard
Adopt a discovered certificate into full CertAutoPilot management. The wizard walks through issuer binding, renewal config, and (optionally) a distribution attachment โ after which the previously-shadow cert becomes a managed record with all the lifecycle machinery behind it.
PQC readiness
Post-Quantum Cryptography (PQC) readiness classifies every discovered certificate by how well its key material will age when quantum computers can break classical public-key crypto. Four buckets: vulnerable, transition, ready, unknown. The score feeds into risk, dashboards, and the finding system.
Certificate Transparency monitoring
Watch public CT logs (via crt.sh) for certificates issued for your domains โ catch shadow IT and rogue issuance, flag certificates from unexpected CAs.