Certificate Discovery

Certificate discovery is the automated process of scanning networks, directories and external databases to build a complete, real-time inventory of all digital certificates within an organization.

Because certificates have limited lifespans and can cause severe service disruptions when they expire, manual tracking often fails to capture deployments or certificates issued outside of standard processes. A reliable discovery mechanism locates unknown certificates, identifies outdated cryptographic standards and brings unmanaged certificates under centralized policy enforcement.

Why Discovery Matters

Without comprehensive visibility, organizations face significant operational and security risks:

  • Preventing Outages: Unmonitored certificates inevitably expire, leading to application downtime, failed integrations and broken trust warnings for users.

  • Eliminating Shadow IT: Departments often purchase public certificates independently. Discovery finds these rogue certificates so they can be brought under corporate governance.

  • Cryptographic Agility: When cryptographic standards change (such as deprecating RSA for ECC or PQC), discovery instantly identifies which systems are using non-compliant algorithms.

  • Compliance and Auditing: Automated discovery provides the accurate, verifiable inventory required by security audits and regulatory frameworks.

Installation & Configuration

Read more about ERS CLI Client, the command-line interface for MTG-CLM that handles certificate issuance automation and certificate discovery.

How Discovery Works in MTG CLM

MTG CLM uses a combination of the central MTG CLM and the independent ERS CLI clients to systematically locate and inventory certificates. Discovered certificates are ingested via the REST API, added to your centralized inventory and evaluated against your configured policies and expiration thresholds.

Once certificates are discovered, you can apply lifecycle policies, configure automated renewal notifications and run metadata-based reports.

Supported Discovery Methods

MTG CLM provides multiple methods for discovering and importing certificates, ensuring coverage across internal networks, public domains and legacy systems.

Network-Based Scanning

The network scanning feature allows ERS CLI to automatically discover and import TLS/SSL certificates from servers and network devices into MTG CLM for centralized inventory and lifecycle management.

Administrators can define:

  • Individual IP addresses

  • Hostnames / DNS names

  • IP ranges or subnets

  • Custom TCP ports or port ranges

During a scan, ERS CLI performs a TLS handshake against the configured targets and retrieves the certificates presented by the remote services during the TLS negotiation process. This allows certificates to be collected without requiring direct access to the target systems themselves. The discovered certificates are then imported into MTG CLM.

This method supports both public and private TLS/SSL certificates across diverse environments without installing agents on every system. The scanner supports:

  • Scanning single hosts or large network segments

  • Customizable target ports for TLS-enabled services

  • Discovery of certificates on internal and external systems

  • Automated certificate inventory population

  • Identification of unmanaged, unknown or expiring certificates

Typical use cases include scanning web servers, reverse proxies, load balancers, mail servers, VPN gateways, industrial devices and other TLS-enabled infrastructure components across enterprise networks.

Learn more about network scan configuration

Active Directory LDAP Scanning

For Microsoft environments, MTG CLM connects to LDAP directories to locate certificates published to the Active Directory Certificate Services (AD CS) infrastructure.

  • Mechanism: Uses Kerberos authentication and configurable search filters to query the directory.

  • Capabilities: Supports both complete baseline scans and incremental discovery operations.

  • Requirements: Requires LDAP server connection details, AD credentials, a search base DN and certificate attribute identifiers.

Learn more about LDAP scan configuration

Certificate Transparency Log Integration

To track publicly trusted certificates, MTG CLM queries external Certificate Transparency databases.

  • Mechanism: Scans CT logs for all active certificates matching your specified organizational domains.

  • Capabilities: Identifies certificates issued by any external public CA, making it ideal for auditing public footprints and uncovering shadow IT.

Learn more about CT Log integration

Manual File Import

For isolated networks or offline systems, MTG CLM allows administrators to manually upload existing certificates.

Mechanism: Direct file upload through the MTG CLM UI.

Capabilities: Parses standard certificate formats and extracts all relevant metadata, importing the file into the managed inventory.

Related Sections