Skip to main content

Certificate discovery

Find the certs you don't know about. Scan IP/CIDR ranges, watch CT logs for new issuances, check OCSP/CRL revocation status, detect drift, and transition discovered certs to managed lifecycle.

Discovery sources

A discovery source is a recurring scan definition. Four types:

  • CIDR / IP — IP ranges + ports. The worker opens TLS connections and captures the certificate chain. SNI-aware, so certs behind SNI-routed frontends are found too (see below).
  • Hostname — explicit FQDN targets, each probed with its own name as SNI. Useful for names that don't appear in any CIDR you control.
  • DNS Zone Transfer (AXFR) — transfers your internal DNS zones and probes each host with the correct SNI. The authoritative way to enumerate every certificate behind an ingress / content switch. See AXFR discovery.
  • CT log monitor — subscribes to Certificate Transparency logs and matches issuances against domains you own.

SNI-aware discovery

A single IP:port behind an ingress, content switch, or virtual-host load balancer can serve many certificates, chosen by the SNI in the handshake. Network scans run deep SNI discovery — probing each IP with names mined from cert SANs, reverse DNS, and a cross-source candidate pool — so hidden certs surface instead of only the default one. For authoritative enumeration, use an AXFR source. See Discovery sources.

Scheduling

Each source has its own cadence — once, daily, weekly, or a cron expression for finer control. The scheduler smears scan starts within the cadence window so you don't get a thundering herd at midnight UTC.

Security findings

Every scan produces zero or more findings on each endpoint. Severity ranges from info to critical:

FindingSeverity
Expired certificatecritical
Self-signed in production zonehigh
Weak key (RSA < 2048-bit)high
Weak signature (SHA-1, MD5)high
Deprecated TLS (1.0, 1.1)high
Weak cipher (RC4, 3DES, EXPORT)high
Expiring < 14 days, not managedmedium
SNI required, no certificate discoveredmedium
Ingress/default placeholder certificatelow
PQC-vulnerable (RSA, classical ECC)info

RSA-2048 is not flagged (still acceptable today); only keys smaller than 2048 bits are. The SNI required finding marks a visible blind spot — an IP:port that rejects SNI-less handshakes where no certificate could be enumerated (consider an AXFR source).

OCSP & CRL

For each discovered certificate the scanner extracts AIA OCSP responder URLs and CRL distribution points, then queries them. Revoked certs become a critical finding immediately.

CertAutoPilot caches OCSP responses for the validity period the responder advertises, so re-scans are cheap.

Drift detection

On every recurring scan, CertAutoPilot diffs the captured certificate against the previous snapshot. A drift event fires when:

  • The fingerprint changes (cert was replaced).
  • The issuer changes (CA migration).
  • The public key changes (key rotation).
  • The SAN set changes.

Each drift event is its own audit entry, so you can see the full history per endpoint.

PQC classification

Each discovered cert is classified for post-quantum readiness:

  • vulnerable — RSA, classical ECC. Crackable by future cryptographically-relevant quantum computers.
  • hybrid — combined classical + PQ algorithm. Transitional.
  • pqc — pure post-quantum. ML-DSA, SLH-DSA.

The dashboard shows the inventory split. Most environments are 100% vulnerable today; the value is knowing where you'd start migrating.

Managed transition

Discovered certificates are read-only by default. To bring one under management:

  1. From Discovery → Inventory, locate the unmanaged cert.
  2. Click Manage on that row (or open the cert detail page and use the same action) — opens the Manage wizard.
  3. Pick an issuer and a key type for the next renewal.
  4. Optionally attach distribution targets — typically the same endpoint that's already serving the cert.
  5. Confirm.

The next renewal goes through the standard lifecycle. Until then the discovered cert keeps appearing in scans, and CertAutoPilot will warn if its fingerprint diverges.

See also