Certificate Discovery

When managing digital certificates, the first step is knowing what you have. Many organizations are surprised to find certificates in unexpected places, sometimes unmanaged or close to expiry. Certificate discovery helps you gain visibility and control, supporting compliance and reducing risk.

What Is Certificate Discovery?

Certificate discovery is the process of scanning your network and systems to identify all existing digital certificates, regardless of how or where they were issued. This includes certificates on web servers, applications, devices, and even legacy systems.

Digital certificates have a limited validity period and become useless once they expire, potentially causing service disruptions or complete outages. A reliable discovery mechanism helps you locate and manage these certificates to avoid such undesirable outcomes. Additionally, comprehensive certificate tracking allows you to identify mis-issued certificates and easily enforce policies related to cryptographic mechanisms.

How Certificate Discovery Works in MTG-CLM

MTG-CLM automates certificate discovery using network-based scanning. The system:

Systematically scans for unknown certificates across your entire network infrastructure.
Identifies both public and private TLS/SSL certificates.
Adds discovered certificates to your centralized inventory.
Analyzes deployed certificates for cryptographic primitives and potential risks.
Monitors certificates for upcoming expirations.

Technical Implementation

MTG-CLM consists of two key components for discovery:

The CLM Server: The central component of the MTG ERS system that provides a REST API for secure access by authenticated and authorized clients.
ERS CLI Clients: Command Line Interface clients that consume the REST API of MTG-CLM. These clients can:
- Log in to MTG-CLM and request certificates.
- Scan specific ports or port ranges of systems in their network.
- Be installed using standard mechanisms (RPM, Debian packages, or EXE files).
- Run independently without additional dependencies.

When the ERS client scans, it attempts to establish a TLS connection to the specified servers and ports. Upon successfully establishing a connection, it downloads the server certificates and pushes them to the CLM component along with metadata via the REST API. MTG-CLM verifies the client’s identity and stores the certificates and metadata in its database.

Configuring Discovery Scans

You can configure the ERS CLI client to scan specific servers, IP ranges, and ports:

ers discover --servers mail.example.com
ers discover --servers "mail.example.com,web.example.com" --ports "8443,9443"
ers discover --servers server1.example.com --ports "8000-9000,9443"
ers discover --ips 198.51.100.0/24 --ports "8000-9000"

Consecutive calls to ers discover add additional servers or reconfigure the ports to scan.

To execute the scan with the configured parameters:

ers scan

For automated regular scanning, the ers scan command is typically placed in a crontab statement with the desired execution time.

Discovery Features in MTG-CLM

Network-based Scanning: Discover certificates across diverse environments without installing agents on every system.
Comprehensive Inventory: Create a complete digital inventory of all company public and private TLS/SSL certificates.
Risk Analysis: Identify certificates using outdated cryptographic algorithms or approaching expiration.
Dashboard Integration: View discovered certificates through intuitive dashboards that provide a complete visual overview.
Expiration Monitoring: Stay informed about upcoming certificate expirations to prevent outages.
Policy Enforcement: Apply flexible certificate policies to monitor, notify, and renew expiring certificates.
Automated Import: Identify and import large numbers of certificates without additional manual effort.

Certificate Management After Discovery

Once certificates are discovered, MTG-CLM enables a range of management actions that not only organize your inventory but also deliver tangible business and security benefits.

Action	Description	Benefits
Add to Managed Inventory	Bring discovered certificates under centralized management.	Centralized visibility, easier tracking, and improved compliance.
Assign Ownership	Link certificates to responsible end entities or owners.	Clear accountability, streamlined renewal, and reduced risk of orphaned certificates.
Monitor for Expiry	Track certificate validity and receive alerts before expiration.	Prevents outages, maintains business continuity, and reduces emergency renewals.
Plan for Renewal/Replacement	Schedule and automate renewal or replacement of certificates.	Ensures uninterrupted service, reduces manual effort, and supports crypto-agility.
Automated Renewal Workflows	Enable automated processes for certificate renewal and deployment.	Minimizes human error, increases operational efficiency, and frees IT resources.
Send Expiry Notifications	Configure notifications for certificates approaching expiration.	Proactive risk mitigation and timely response to potential issues.
Search & Reporting	Search certificates by metadata/content and generate inventory reports.	Supports audits, compliance checks, and rapid incident response.
Assign Policies	Apply security and lifecycle policies to discovered certificates.	Enforces organizational standards, strengthens security, and supports regulatory needs.
Generate Statistics	Analyze certificate usage and trends across your environment.	Informs strategic planning, capacity management, and security posture assessments.

Action

Description

Benefits

Add to Managed Inventory

Bring discovered certificates under centralized management.

Centralized visibility, easier tracking, and improved compliance.

Assign Ownership

Link certificates to responsible end entities or owners.

Clear accountability, streamlined renewal, and reduced risk of orphaned certificates.

Monitor for Expiry

Track certificate validity and receive alerts before expiration.

Prevents outages, maintains business continuity, and reduces emergency renewals.

Plan for Renewal/Replacement

Schedule and automate renewal or replacement of certificates.

Ensures uninterrupted service, reduces manual effort, and supports crypto-agility.

Automated Renewal Workflows

Enable automated processes for certificate renewal and deployment.

Minimizes human error, increases operational efficiency, and frees IT resources.

Send Expiry Notifications

Configure notifications for certificates approaching expiration.

Proactive risk mitigation and timely response to potential issues.

Search & Reporting

Search certificates by metadata/content and generate inventory reports.

Supports audits, compliance checks, and rapid incident response.

Assign Policies

Apply security and lifecycle policies to discovered certificates.

Enforces organizational standards, strengthens security, and supports regulatory needs.

Generate Statistics

Analyze certificate usage and trends across your environment.

Informs strategic planning, capacity management, and security posture assessments.

Benefits of Effective Certificate Management:

Enhanced security and risk mitigation
Reduced service outages and improved uptime
Greater operational efficiency and automation
Simplified compliance and audit readiness
Centralized control and visibility across your certificate landscape

Best Practices

Schedule regular discovery scans to maintain an up-to-date inventory.
Review newly discovered certificates for compliance with your security policies.
Use the certificate inventory to identify and remediate risky or obsolete certificates.
Implement automated notifications for certificates approaching expiration.
Establish clear ownership for all discovered certificates.