For the latest version, please use Certificate Lifecycle Manager 6.5.0!

The Hidden Risks in Your Network – Solved with Certificate Discovery

When managing digital certificates, the first step is knowing what you have. Many organizations are (unpleasantly) surprised to find certificates in unexpected places, sometimes unmanaged or close to expiry. Certificate discovery helps you gain visibility and control, supporting compliance and reducing risk.

What Is Certificate Discovery?

Certificate discovery is the process of scanning your network and systems to identify all existing digital certificates, regardless of how or where they were issued. This includes certificates on web servers, applications, devices and even legacy systems.

Digital certificates have a limited validity period and become useless once they expire, potentially causing service disruptions or complete outages. A reliable discovery mechanism helps you locate and manage these certificates to avoid such undesirable outcomes. Additionally, comprehensive certificate tracking allows you to identify mis-issued certificates and easily enforce policies related to cryptographic mechanisms.

Certificate Discovery Methods

MTG CLM provides multiple automated discovery capabilities to eliminate manual processes and reduce operational overhead.

Network-Based Scanning

Network-based scanning systematically identifies certificates across your infrastructure by establishing TLS connections to servers, IP addresses and ports. The ERS CLI client connects to target systems, downloads server certificates and imports them into MTG CLM via the REST API.

This method supports both public and private TLS/SSL certificates across diverse environments without installing agents on every system.

Configuration options:

Scan specific servers or hostnames
Scan IP address ranges with CIDR notation
Scan specific ports or port ranges
Automated scanning via scheduled execution

Learn more about network scan configuration

Active Directory LDAP Scanning

For organizations using Microsoft Active Directory, MTG CLM can scan LDAP directories to discover certificates stored in AD. This method connects to your LDAP server using Kerberos authentication and searches for certificates based on configurable search filters.

LDAP scanning works for certificates published to Active Directory Certificate Services infrastructure and supports both complete and incremental discovery operations.

Configuration requirements:

LDAP server connection details
Active Directory principal credentials
Search base distinguished name
Certificate attribute identifiers

Learn more about LDAP scan configuration

Certificate Transparency Log Integration

Certificate Transparency (CT) Log integration provides automated discovery of publicly issued certificates by querying external CT log databases. MTG CLM scans CT logs for all active certificates matching specified domain names, providing comprehensive visibility into your organization’s public certificate footprint.

This method is specialized for public certificates only and helps identify certificates issued by external Certificate Authorities across your domain infrastructure.

Best suited for:

Auditing publicly issued certificates across organizational domains
Identifying shadow IT public certificate usage
Compliance validation of external certificate deployment
Domain-scoped certificate inventory

Learn more about CT Log integration

Manual Certificate Import

In addition to automated discovery methods, MTG CLM supports direct certificate file upload through MTG CLM UI. This capability enables quick integration of existing certificates into your MTG CLM environment when certificates are available as files.

File-based import maintains certificate metadata integrity and supports standard certificate formats.

How Certificate Discovery Works in MTG CLM

MTG CLM automates certificate discovery using the ERS CLI client, which functions independently without additional dependencies. The system:

Systematically scans for unknown certificates across your entire network infrastructure.
Identifies both public and private TLS/SSL certificates.
Adds discovered certificates to your centralized inventory.
Analyzes deployed certificates for cryptographic primitives and potential risks.
Monitors certificates for upcoming expirations.

Technical Implementation

MTG CLM consists of two key components for discovery:

MTG CLM Server: The central component that provides a REST API for secure access by authenticated and authorized clients.
ERS CLI Clients: Command Line Interface clients that consume the REST API of MTG CLM. These clients can:
- Log in to MTG CLM and request certificates.
- Scan specific ports or port ranges of systems in their network.
- Be installed using standard mechanisms (RPM, Debian packages, or EXE files).
- Run independently without additional dependencies.

When the ERS client scans, it attempts to establish a TLS connection to the specified servers and ports. Upon successfully establishing a connection, it downloads the server certificates and pushes them to the CLM component along with metadata via the REST API. MTG CLM verifies the client’s identity and stores the certificates and metadata in its database.

Discovery Features in MTG CLM

Network-based Scanning: Discover certificates across diverse environments without installing agents on every system.
Comprehensive Inventory: Create a complete digital inventory of all company public and private TLS/SSL certificates.
Risk Analysis: Identify certificates using outdated cryptographic algorithms or approaching expiration.
Dashboard Integration: View discovered certificates through intuitive dashboards that provide a complete visual overview.
Expiration Monitoring: Stay informed about upcoming certificate expirations to prevent outages.
Policy Enforcement: Apply flexible certificate policies to monitor, notify and renew expiring certificates.
Automated Import: Identify and import large numbers of certificates without additional manual effort.

Certificate Management After Discovery

Once certificates are discovered, MTG CLM enables a range of management actions that not only organize your inventory but also deliver tangible business and security benefits.

Action	Description	Benefits
Add to Managed Inventory	Bring discovered certificates under centralized management.	Centralized visibility, easier tracking and improved compliance.
Assign Ownership	Link certificates to responsible end entities or owners.	Clear accountability, straightforward renewal and reduced risk of orphaned certificates.
Monitor for Expiry	Track certificate validity and receive alerts before expiration.	Prevents outages, maintains business continuity and reduces emergency renewals.
Plan for Renewal/Replacement	Schedule and automate renewal or replacement of certificates.	Ensures uninterrupted service, reduces manual effort and supports crypto-agility.
Automated Renewal Workflows	Enable automated processes for certificate renewal and deployment.	Minimizes human error, increases operational efficiency and frees IT resources.
Send Expiry Notifications	Configure notifications for certificates approaching expiration.	Proactive risk mitigation and timely response to potential issues.
Search & Reporting	Search certificates by metadata/content and generate inventory reports.	Supports audits, compliance checks and rapid incident response.
Assign Policies	Apply security and lifecycle policies to discovered certificates.	Enforces organizational standards, strengthens security and supports regulatory needs.
Generate Statistics	Analyze certificate usage and trends across your environment.	Informs strategic planning, capacity management and security posture assessments.

Action

Description

Benefits

Add to Managed Inventory

Bring discovered certificates under centralized management.

Centralized visibility, easier tracking and improved compliance.

Assign Ownership

Link certificates to responsible end entities or owners.

Clear accountability, straightforward renewal and reduced risk of orphaned certificates.

Monitor for Expiry

Track certificate validity and receive alerts before expiration.

Prevents outages, maintains business continuity and reduces emergency renewals.

Plan for Renewal/Replacement

Schedule and automate renewal or replacement of certificates.

Ensures uninterrupted service, reduces manual effort and supports crypto-agility.

Automated Renewal Workflows

Enable automated processes for certificate renewal and deployment.

Minimizes human error, increases operational efficiency and frees IT resources.

Send Expiry Notifications

Configure notifications for certificates approaching expiration.

Proactive risk mitigation and timely response to potential issues.

Search & Reporting

Search certificates by metadata/content and generate inventory reports.

Supports audits, compliance checks and rapid incident response.

Assign Policies

Apply security and lifecycle policies to discovered certificates.

Enforces organizational standards, strengthens security and supports regulatory needs.

Generate Statistics

Analyze certificate usage and trends across your environment.

Informs strategic planning, capacity management and security posture assessments.

Benefits of Effective Certificate Management:

Enhanced security and risk mitigation
Reduced service outages and improved uptime
Greater operational efficiency and automation
Simplified compliance and audit readiness
Centralized control and visibility across your certificate landscape

Related Sections