For the latest version, please use Certificate Lifecycle Manager 6.11.0!

Certificate Discovery

Certificate discovery is the automated process of scanning networks, directories and external databases to build a complete, real-time inventory of all digital certificates within an organization.

Because certificates have limited lifespans and can cause severe service disruptions when they expire, manual tracking often fails to capture deployments or certificates issued outside of standard processes. A reliable discovery mechanism locates unknown certificates, identifies outdated cryptographic standards and brings unmanaged certificates under centralized policy enforcement.

Why Discovery Matters

Without comprehensive visibility, organizations face significant operational and security risks:

  • Preventing Outages: Unmonitored certificates inevitably expire, leading to application downtime, failed integrations and broken trust warnings for users.

  • Eliminating Shadow IT: Departments often purchase public certificates independently. Discovery finds these rogue certificates so they can be brought under corporate governance.

  • Cryptographic Agility: When cryptographic standards change (such as deprecating RSA for ECC or PQC), discovery instantly identifies which systems are using non-compliant algorithms.

  • Compliance and Auditing: Automated discovery provides the accurate, verifiable inventory required by security audits and regulatory frameworks.

Installation & Configuration

ERS CLI Client

How Discovery Works in MTG CLM

MTG CLM uses a combination of the central MTG CLM and the independent ERS CLI clients to systematically locate and inventory certificates. Discovered certificates are ingested via the REST API, added to your centralized inventory and evaluated against your configured policies and expiration thresholds.

Once certificates are discovered, you can apply lifecycle policies, configure automated renewal notifications and run metadata-based reports.

Supported Discovery Methods

MTG CLM provides three primary methods for discovering and importing certificates, ensuring coverage across internal networks, public domains and legacy systems.

Active Directory LDAP Scanning

For Microsoft environments, MTG CLM connects to LDAP directories to locate certificates published to the Active Directory Certificate Services (AD CS) infrastructure.

  • Mechanism: Uses Kerberos authentication and configurable search filters to query the directory.

  • Capabilities: Supports both complete baseline scans and incremental discovery operations.

  • Requirements: Requires LDAP server connection details, AD credentials, a search base DN and certificate attribute identifiers.

Learn more about LDAP scan configuration

Certificate Transparency Log Integration

To track publicly trusted certificates, MTG CLM queries external Certificate Transparency databases.

  • Mechanism: Scans CT logs for all active certificates matching your specified organizational domains.

  • Capabilities: Identifies certificates issued by any external public CA, making it ideal for auditing public footprints and uncovering shadow IT.

Learn more about CT Log integration

Manual File Import

For isolated networks or offline systems, MTG CLM allows administrators to manually upload existing certificates.

Mechanism: Direct file upload through the MTG CLM UI.

Capabilities: Parses standard certificate formats and extracts all relevant metadata, importing the file into the managed inventory.

Related Sections