Discovery sources
A discovery source tells CertAutoPilot where to look for certificates that are not yet managed. All sources feed the same inventory.
Source types
| Type | Input | Use case |
|---|---|---|
| CIDR / IP | IP ranges + ports | Known infrastructure — discover what's serving TLS in a subnet. |
| Hostname | FQDN list + ports | Services on cloud LBs / no stable IP. |
| DNS Zone Transfer (AXFR) | DNS resolvers + zones | SNI-routed frontends — enumerate every distinct cert behind one IP. See AXFR discovery. |
| CT log monitor | Domains | Shadow IT — catch a cert issued outside your process. See CT monitoring. |
CT log monitoring depends on an external aggregator (crt.sh), which is often rate-limited or unavailable, so it is hidden from the source-type picker by default. For SNI-routed internal infrastructure, prefer AXFR — it is authoritative and needs no external service.
CIDR / IP scan
- Discovery → Sources → New → type CIDR / IP.
- Fields:
- Records:
10.0.0.0/24,10.0.0.1— one CIDR or IP per row, each with its own ports. - Ports: default
443. Any TLS-speaking port works (8443, LDAPS636, IMAPS993, SMTPS465). - Allow Public IP Scan: off by default — only private (RFC1918) ranges are scanned. Turn on to scan public IPs you're authorized to assess.
- Deep SNI Discovery + SNI candidate budget: see SNI-aware discovery below.
- DNS lookup timeout / pool deadline: per-source DNS tuning, see DNS resolvers.
- Schedule / Timeout per host / Max targets: standard scan controls.
- Records:
- Save. A live estimate shows the base target count (
≈ IPs × ports); deep-SNI expansion is adaptive on top of that.
Hostname scan
Type Hostname. Records are FQDNs (app.example.com) instead of CIDRs; each is probed with its own name as SNI. Useful for endpoints that don't sit in a CIDR you can enumerate.
AXFR & CT sources
- DNS Zone Transfer (AXFR) — name-first discovery for SNI-routed infrastructure. Full setup (DNS-side config for Windows/CoreDNS/BIND, resolvers, security): AXFR discovery.
- CT log monitor — Certificate Transparency audit for domains you own: CT monitoring.
SNI-aware discovery (deep SNI)
A single IP:port behind an ingress / content switch / virtual-host LB can serve many certificates, selected by the SNI in the TLS handshake. An SNI-less scan sees at most one of them (often a default/placeholder cert, or fails outright when the server enforces SNI). With Deep SNI Discovery on (the default), a network scan probes each responsive IP with additional server names to surface the hidden certificates:
- SAN-snowball — server names mined from the SANs of certificates already retrieved on that IP.
- Reverse DNS (PTR) — the name(s) the IP reverse-resolves to.
- Cross-source candidate pool — hostnames known to the project (previously discovered SANs, managed-cert domains, tracked domains, CT observations) that forward-resolve into the scanned range.
Each candidate is fingerprint-deduplicated, so exploration terminates. The SNI candidate budget (default 25, max 200) caps probes per IP:port — when it's reached the run logs a warning (never a silent miss). For authoritative enumeration behind SNI routing, use an AXFR source instead of relying on the candidate pool.
Endpoints record how each was found — discovery_method (no SNI, SAN crawl,
reverse DNS, candidate pool, hostname, zone transfer) and the SNI used —
and are flagged SNI required when the IP rejects SNI-less handshakes.
DNS resolvers
Deep SNI's forward/reverse resolution and AXFR need a resolver that can see your internal / split-horizon names:
- Settings → General → Discovery DNS Resolvers — DNS servers the scanner uses to resolve candidate names and do reverse-DNS. Kept separate from the DV-propagation resolvers (which are usually public). Empty = the worker's system resolver (not the public DV resolvers, which can't see internal names).
- Per source: DNS lookup timeout (default 2 s) and DNS pool deadline (default 30 s) bound resolution time.
Security & policy
Network scans route every dial through the outbound network policy:
- Cloud-metadata (
169.254.169.254, …), link-local, loopback, unspecified, and CGNAT addresses are always refused — even if listed explicitly or returned by a zone/PTR/candidate. - CIDR sources pin egress to exactly the declared ranges; AXFR sources pin to the exact IPs resolved from the zone (DNS-rebinding safe).
- Public IPs are only scanned when Allow Public IP Scan is enabled.
Execution model
- A source is executed by a
discovery_executejob on the worker queue. - The scheduler sweeps active sources on their cadence; manual triggers bypass it.
- A scan that is interrupted (worker shutdown) is marked cancelled; one with partial coverage (some AXFR zones failed, or DB write errors) is marked partial — in both cases the disappearance sweep is skipped so still-live endpoints aren't falsely removed.
What is stored
discovered_certificates— subject, SANs, issuer, validity, SHA-256 fingerprint, key/signature algorithm, PQC classification (PQC readiness).discovered_endpoints— one row per(source, host, port, SNI)where the cert was seen, plus TLS version, cipher suite, negotiated key-exchange group (quantum-safe KEX classification), discovery method, and the observing source.
The same IP:port:SNI found by two sources appears once per source; the inventory and cert detail show which source(s) observed each endpoint.
Re-runs and drift
A re-scan confirms existing entries or records a drift (fingerprint / issuer / key / SAN change) as a per-endpoint change with history — see findings.
Troubleshooting
Scan finds fewer certs than expected behind an ingress
The certs are SNI-routed and the candidate pool didn't have their names. Set up an AXFR source for authoritative enumeration, or add a Discovery DNS Resolver pointing at your internal DNS so candidate names resolve into the scanned range.
Scan is slow over WAN
Lower Timeout per host; unreachable hosts fail faster. Lower the SNI candidate budget to reduce handshakes per IP.
Scan result: network policy block
You targeted a refused address (metadata, link-local, loopback). Adjust the range, or point an AXFR/hostname source at reachable internal IPs.