Discovery & Inventory
Discovery & Inventory
Section titled “Discovery & Inventory”Short Summary: Discovery is the process of finding certificates in your environment. Inventory is the unified database of those findings.
Discovery Concepts
Section titled “Discovery Concepts”1. Active Network Scanning
Section titled “1. Active Network Scanning”The Agent scans IP ranges (e.g., 10.0.0.0/24) on specific ports (443, 8443).
- Mechanism: TLS Handshake. The Agent says “Hello”, the server presents its certificate, the Agent records it.
- Pros: Finds undocumented “rogue” servers.
- Cons: Requires network reachability.
2. Passive Integration Sync
Section titled “2. Passive Integration Sync”We connect to CAs and Cloud Providers to download their records.
- CA Sync: Download all certs issued by your DigiCert account.
- Cloud Sync: List all certs in AWS ACM or Azure Key Vault.
- Cons: Doesn’t tell you where the certificate is installed (just that it exists).
The Canonical Inventory
Section titled “The Canonical Inventory”SSL-CLM merges findings into a Canonical Record.
- Identity: SHA-256 Fingerprint.
- Sources: A list of where it was seen.
- Source A: Network Scan (Port 443 on WebServer01)
- Source B: DigiCert API
Use Cases
Section titled “Use Cases”- Audit: Find all certificates expiring in 30 days.
- Compliance: Find all certificates using SHA-1.
- Cleanup: Find certificates that are issued but not installed anywhere.