ContextQMD
Back to Infisical

Network

docs/documentation/platform/pki/discovery/network.mdx

0.160.13.1 KB
Original Source

Network discovery scans network endpoints over TLS to discover certificates served by hosts across IP ranges and domains. Optionally, you can use an Infisical Gateway to reach endpoints in private networks that are not accessible from the internet.

<Note> If you are self-hosting Infisical, you can alternatively set the [`ALLOW_INTERNAL_IP_CONNECTIONS`](/self-hosting/configuration/envars#param-allow-internal-ip-connections) environment variable to `true` on your instance to scan private networks directly without a gateway. </Note> <Tabs> <Tab title="Infisical UI"> 1. In **Certificate Manager**, go to **Discovery** and click **Add Job**. 
2. Fill in the discovery job details and click **Create**:
    - **Name**: A slug-friendly name for the discovery job (e.g., `prod-tls-scan`).
    - **Description**: An optional description.
    - **Targets**: Domains, IP addresses, or CIDR ranges to scan (e.g., `example.com`, `192.168.1.1`, `10.0.0.0/24`).
    - **Ports**: Ports to scan for TLS certificates. Defaults to common TLS ports if not specified.
    - **Gateway** (optional): The Infisical Gateway for scanning private networks.
    - **Auto Scan**: Enable automatic periodic scanning with a configurable interval.

    <Note>
      At least one target (domain or IP) must be specified.
    </Note>

3. Trigger a scan manually by pressing **Scan Now**, or wait for the next automatic scan if enabled.

4. After a scan completes, view the results:
    - **Installations**: Unique locations where certificates were found.
    - **Certificates**: Details including common name, issuer, and expiration date.
    - **Scan History**: Log of all scans with status and timestamps.
</Tab> <Tab title="API"> To create a **Network** discovery job, make an API request to the [Create Discovery](/api-reference/endpoints/pki-discovery/create) API endpoint. 
### Sample request

```bash Request
curl --request POST \
  --url https://app.infisical.com/api/v1/pki/discovery \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "name": "prod-tls-scan",
    "description": "Scan production network for TLS certificates",
    "type": "network-tls",
    "gatewayId": "550e8400-e29b-41d4-a716-446655440000",
    "isAutoScanEnabled": true,
    "scanIntervalInDays": 1,
    "targetConfig": {
      "ipRanges": ["10.0.0.0/24", "192.168.1.1"],
      "domains": ["example.com"],
      "ports": "443, 8443"
    }
  }'
```

To trigger a scan, make a request to the [Trigger Scan](/api-reference/endpoints/pki-discovery/trigger-scan) endpoint:

```bash Request
curl --request POST \
  --url https://app.infisical.com/api/v1/pki/discovery/<discoveryId>/scan \
  --header 'Authorization: Bearer <access-token>'
```
</Tab> </Tabs>

Limits

The following limits apply to Network discovery jobs:

  • Max individual IPs: 256
  • Max domains: 20
  • Max ports: 5
  • Minimum CIDR prefix: /24 (256 hosts)