Skip to content
QCecuring

File System Scanner

The File System Scanner walks directory trees to find certificate and key files, parsing each one to extract cryptographic asset metadata.

What It Scans

Section titled “What It Scans”

Directories on the local filesystem (or mounted volumes) for certificate and key files. Identifies crypto files by extension and parses their contents.

Supported formats:

ExtensionFormat
.pemPEM-encoded certificates and keys
.crt, .cerX.509 certificates (PEM or DER)
.derDER-encoded certificates
.keyPrivate key files
.p12, .pfxPKCS#12 bundles
.jksJava KeyStore files

How It Works

Section titled “How It Works”
  1. Walks the configured directory tree (respecting maxDepth)
  2. Identifies cryptographic files by file extension
  3. Parses each file to extract certificates, public keys, and private keys
  4. Handles multi-certificate PEM files (certificate bundles)
  5. Reports file path, permissions, and last-modified timestamp alongside asset metadata

Configuration

Section titled “Configuration”
scanners:
  filesystem:
    - paths:
        - /etc/ssl/certs
        - /opt/app/keystores
        - /home/deploy/.ssh
      extensions:
        - .pem
        - .crt
        - .der
        - .p12
      recursive: true
      maxDepth: 5
ParameterRequiredDefaultDescription
pathsYesList of directories to scan
extensionsNoAll supportedFilter to specific file extensions
recursiveNotrueWhether to scan subdirectories
maxDepthNo10Maximum directory depth for recursive scanning

Assets Produced

Section titled “Assets Produced”
Asset TypeWhat’s Captured
certificatesubject, issuer, serialNumber, signatureAlgorithm, validity dates, keyUsage, SAN, file path
private-keyAlgorithm, key size, encrypted status, file path
public-keyAlgorithm, key size, file path

Deduplication

Section titled “Deduplication”

Certificates are deduplicated using SHA-256 of DER-encoded bytes. Keys are deduplicated using SHA-256 of the public key material. If the same certificate exists in multiple files, it appears once in inventory with all file locations referenced.

Use Cases

Section titled “Use Cases”
  • Find all certificate and key files scattered across servers, including forgotten or unmanaged ones
  • Detect private keys with weak permissions (world-readable key files)
  • Identify expired certificates sitting on disk that may still be referenced by applications
  • Discover PKCS#12 bundles that contain both certificates and private keys

Example Output

Section titled “Example Output”
{
  "type": "certificate",
  "fingerprint": "sha256:b2c3d4e5f6a7...",
  "subject": "CN=internal.service.local",
  "issuer": "CN=Corp Internal CA",
  "signatureAlgorithm": "SHA256withECDSA",
  "notValidBefore": "2023-06-01T00:00:00Z",
  "notValidAfter": "2025-06-01T00:00:00Z",
  "isCA": false,
  "source": {
    "scanner": "filesystem",
    "filePath": "/etc/ssl/certs/internal-service.pem",
    "lastModified": "2023-06-01T12:34:56Z",
    "permissions": "644"
  }
}

hidden File System Scanner configuration

← Back to Scanners Overview | Sensor Setup Guide