ContextQMD
Back to Infisical

Certificate Discovery

docs/documentation/platform/pki/discovery/overview.mdx

0.160.13.2 KB
Original Source

Certificate Discovery automatically scans your infrastructure to find certificates you may not know exist. This gives you full visibility into your organization's certificate landscape — helping you identify expiring certificates, misconfigurations, and shadow PKI.

How It Works

Discovery jobs scan your infrastructure and organize results as installations — unique locations where certificates were found. Each installation tracks certificates discovered at that location across multiple scans, allowing you to monitor changes over time.

<CardGroup cols={2}> <Card title="Network Discovery" icon="network-wired" href="/documentation/platform/pki/discovery/network"> Scan network endpoints over TLS to discover certificates served by hosts across IP ranges and domains. </Card> </CardGroup> <Note> Additional discovery types (cloud providers, file systems, etc.) will be added in future releases. </Note>

Installations

An installation represents a unique location where a certificate was discovered — for example, a specific hostname and port combination.

View installations:

  • From the Installations tab on the Discovery page
  • From a specific discovery job's detail page
  • From a certificate's detail page (shows where that certificate is deployed)

Certificate Matching

Discovered certificates are matched to your existing inventory by fingerprint. If a discovered certificate matches one in your Infisical organization, the installation is linked to that certificate — giving you a unified view of where your certificates are deployed.

FAQ

<AccordionGroup> <Accordion title="How are discovered certificates matched to existing certificates?"> Discovered certificates are matched by their fingerprint (SHA-256 hash of the DER-encoded certificate). If a discovered certificate matches an existing certificate in your organization, the installation is linked to that certificate. </Accordion> <Accordion title="What happens when a certificate changes at an endpoint?"> When a subsequent scan detects a different certificate at a location, the installation is updated to reflect the new certificate. The previous certificate association is preserved in the scan history. </Accordion> <Accordion title="Can I import discovered certificates into my inventory?"> Yes — if a discovered certificate doesn't match any existing certificate, you can import it into your inventory to track and manage it alongside certificates issued through Infisical. </Accordion> </AccordionGroup>

What's Next?

<CardGroup cols={2}> <Card title="Network Discovery" icon="network-wired" href="/documentation/platform/pki/discovery/network"> Scan TLS endpoints across IP ranges and domains. </Card> <Card title="Applications" icon="grid-2" href="/documentation/platform/pki/applications/overview"> Issue and manage certificates for your services. </Card> <Card title="Alerting" icon="bell" href="/documentation/platform/pki/applications/alerting/overview"> Get notified when discovered certificates expire. </Card> <Card title="Certificate Syncs" icon="arrows-rotate" href="/documentation/platform/pki/applications/certificate-syncs/overview"> Push certificates to cloud destinations. </Card> </CardGroup>