Skip to main content

Discovery sources

A discovery source tells CertAutoPilot where to look for certificates that are not yet managed. All sources feed the same inventory.

Source types

TypeInputUse case
CIDR / IPIP ranges + portsKnown infrastructure — discover what's serving TLS in a subnet.
HostnameFQDN list + portsServices on cloud LBs / no stable IP.
DNS Zone Transfer (AXFR)DNS resolvers + zonesSNI-routed frontends — enumerate every distinct cert behind one IP. See AXFR discovery.
CT log monitorDomainsShadow IT — catch a cert issued outside your process. See CT monitoring.
note

CT log monitoring depends on an external aggregator (crt.sh), which is often rate-limited or unavailable, so it is hidden from the source-type picker by default. For SNI-routed internal infrastructure, prefer AXFR — it is authoritative and needs no external service.

CIDR / IP scan

  1. Discovery → Sources → New → type CIDR / IP.
  2. Fields:
    • Records: 10.0.0.0/24, 10.0.0.1 — one CIDR or IP per row, each with its own ports.
    • Ports: default 443. Any TLS-speaking port works (8443, LDAPS 636, IMAPS 993, SMTPS 465).
    • Allow Public IP Scan: off by default — only private (RFC1918) ranges are scanned. Turn on to scan public IPs you're authorized to assess.
    • Deep SNI Discovery + SNI candidate budget: see SNI-aware discovery below.
    • DNS lookup timeout / pool deadline: per-source DNS tuning, see DNS resolvers.
    • Schedule / Timeout per host / Max targets: standard scan controls.
  3. Save. A live estimate shows the base target count (≈ IPs × ports); deep-SNI expansion is adaptive on top of that.

Hostname scan

Type Hostname. Records are FQDNs (app.example.com) instead of CIDRs; each is probed with its own name as SNI. Useful for endpoints that don't sit in a CIDR you can enumerate.

AXFR & CT sources

  • DNS Zone Transfer (AXFR) — name-first discovery for SNI-routed infrastructure. Full setup (DNS-side config for Windows/CoreDNS/BIND, resolvers, security): AXFR discovery.
  • CT log monitor — Certificate Transparency audit for domains you own: CT monitoring.

SNI-aware discovery (deep SNI)

A single IP:port behind an ingress / content switch / virtual-host LB can serve many certificates, selected by the SNI in the TLS handshake. An SNI-less scan sees at most one of them (often a default/placeholder cert, or fails outright when the server enforces SNI). With Deep SNI Discovery on (the default), a network scan probes each responsive IP with additional server names to surface the hidden certificates:

  • SAN-snowball — server names mined from the SANs of certificates already retrieved on that IP.
  • Reverse DNS (PTR) — the name(s) the IP reverse-resolves to.
  • Cross-source candidate pool — hostnames known to the project (previously discovered SANs, managed-cert domains, tracked domains, CT observations) that forward-resolve into the scanned range.

Each candidate is fingerprint-deduplicated, so exploration terminates. The SNI candidate budget (default 25, max 200) caps probes per IP:port — when it's reached the run logs a warning (never a silent miss). For authoritative enumeration behind SNI routing, use an AXFR source instead of relying on the candidate pool.

Endpoints record how each was found — discovery_method (no SNI, SAN crawl, reverse DNS, candidate pool, hostname, zone transfer) and the SNI used — and are flagged SNI required when the IP rejects SNI-less handshakes.

DNS resolvers

Deep SNI's forward/reverse resolution and AXFR need a resolver that can see your internal / split-horizon names:

  • Settings → General → Discovery DNS Resolvers — DNS servers the scanner uses to resolve candidate names and do reverse-DNS. Kept separate from the DV-propagation resolvers (which are usually public). Empty = the worker's system resolver (not the public DV resolvers, which can't see internal names).
  • Per source: DNS lookup timeout (default 2 s) and DNS pool deadline (default 30 s) bound resolution time.

Security & policy

Network scans route every dial through the outbound network policy:

  • Cloud-metadata (169.254.169.254, …), link-local, loopback, unspecified, and CGNAT addresses are always refused — even if listed explicitly or returned by a zone/PTR/candidate.
  • CIDR sources pin egress to exactly the declared ranges; AXFR sources pin to the exact IPs resolved from the zone (DNS-rebinding safe).
  • Public IPs are only scanned when Allow Public IP Scan is enabled.

Execution model

  • A source is executed by a discovery_execute job on the worker queue.
  • The scheduler sweeps active sources on their cadence; manual triggers bypass it.
  • A scan that is interrupted (worker shutdown) is marked cancelled; one with partial coverage (some AXFR zones failed, or DB write errors) is marked partial — in both cases the disappearance sweep is skipped so still-live endpoints aren't falsely removed.

What is stored

  • discovered_certificates — subject, SANs, issuer, validity, SHA-256 fingerprint, key/signature algorithm, PQC classification (PQC readiness).
  • discovered_endpoints — one row per (source, host, port, SNI) where the cert was seen, plus TLS version, cipher suite, negotiated key-exchange group (quantum-safe KEX classification), discovery method, and the observing source.

The same IP:port:SNI found by two sources appears once per source; the inventory and cert detail show which source(s) observed each endpoint.

Re-runs and drift

A re-scan confirms existing entries or records a drift (fingerprint / issuer / key / SAN change) as a per-endpoint change with history — see findings.

Troubleshooting

Scan finds fewer certs than expected behind an ingress

The certs are SNI-routed and the candidate pool didn't have their names. Set up an AXFR source for authoritative enumeration, or add a Discovery DNS Resolver pointing at your internal DNS so candidate names resolve into the scanned range.

Scan is slow over WAN

Lower Timeout per host; unreachable hosts fail faster. Lower the SNI candidate budget to reduce handshakes per IP.

Scan result: network policy block

You targeted a refused address (metadata, link-local, loopback). Adjust the range, or point an AXFR/hostname source at reachable internal IPs.

See also