Certificate discovery
Find the certs you don't know about. Scan IP/CIDR ranges, watch CT logs for new issuances, check OCSP/CRL revocation status, detect drift, and transition discovered certs to managed lifecycle.
Discovery sources
A discovery source is a recurring scan definition. Four types:
- CIDR / IP — IP ranges + ports. The worker opens TLS connections and captures the certificate chain. SNI-aware, so certs behind SNI-routed frontends are found too (see below).
- Hostname — explicit FQDN targets, each probed with its own name as SNI. Useful for names that don't appear in any CIDR you control.
- DNS Zone Transfer (AXFR) — transfers your internal DNS zones and probes each host with the correct SNI. The authoritative way to enumerate every certificate behind an ingress / content switch. See AXFR discovery.
- CT log monitor — subscribes to Certificate Transparency logs and matches issuances against domains you own.
SNI-aware discovery
A single IP:port behind an ingress, content switch, or virtual-host load balancer can serve many certificates, chosen by the SNI in the handshake. Network scans run deep SNI discovery — probing each IP with names mined from cert SANs, reverse DNS, and a cross-source candidate pool — so hidden certs surface instead of only the default one. For authoritative enumeration, use an AXFR source. See Discovery sources.
Scheduling
Each source has its own cadence — once, daily, weekly, or a cron expression for finer control. The scheduler smears scan starts within the cadence window so you don't get a thundering herd at midnight UTC.
Security findings
Every scan produces zero or more findings on each endpoint. Severity ranges from info to critical:
| Finding | Severity |
|---|---|
| Expired certificate | critical |
| Self-signed in production zone | high |
| Weak key (RSA < 2048-bit) | high |
| Weak signature (SHA-1, MD5) | high |
| Deprecated TLS (1.0, 1.1) | high |
| Weak cipher (RC4, 3DES, EXPORT) | high |
| Expiring < 14 days, not managed | medium |
| SNI required, no certificate discovered | medium |
| Ingress/default placeholder certificate | low |
| PQC-vulnerable (RSA, classical ECC) | info |
RSA-2048 is not flagged (still acceptable today); only keys smaller than 2048 bits are. The SNI required finding marks a visible blind spot — an IP:port that rejects SNI-less handshakes where no certificate could be enumerated (consider an AXFR source).
OCSP & CRL
For each discovered certificate the scanner extracts AIA OCSP responder URLs and CRL distribution points, then queries them. Revoked certs become a critical finding immediately.
CertAutoPilot caches OCSP responses for the validity period the responder advertises, so re-scans are cheap.
Drift detection
On every recurring scan, CertAutoPilot diffs the captured certificate against the previous snapshot. A drift event fires when:
- The fingerprint changes (cert was replaced).
- The issuer changes (CA migration).
- The public key changes (key rotation).
- The SAN set changes.
Each drift event is its own audit entry, so you can see the full history per endpoint.
PQC classification
Each discovered cert is classified for post-quantum readiness:
- vulnerable — RSA, classical ECC. Crackable by future cryptographically-relevant quantum computers.
- hybrid — combined classical + PQ algorithm. Transitional.
- pqc — pure post-quantum. ML-DSA, SLH-DSA.
The dashboard shows the inventory split. Most environments are 100% vulnerable today; the value is knowing where you'd start migrating.
Managed transition
Discovered certificates are read-only by default. To bring one under management:
- From Discovery → Inventory, locate the unmanaged cert.
- Click Manage on that row (or open the cert detail page and use the same action) — opens the Manage wizard.
- Pick an issuer and a key type for the next renewal.
- Optionally attach distribution targets — typically the same endpoint that's already serving the cert.
- Confirm.
The next renewal goes through the standard lifecycle. Until then the discovered cert keeps appearing in scans, and CertAutoPilot will warn if its fingerprint diverges.