What is Certificate Discovery

Certificate discovery is the automated process of scanning your infrastructure to find every deployed SSL/TLS certificate — across servers, load balancers, cloud services, CDNs, containers, and anywhere else certificates hide. The goal is simple: you can’t manage what you can’t see.

Most organizations have 3-10x more certificates than they think they do. Discovery finds the ones that were installed manually, forgotten about, or deployed by teams that never told anyone.

Why it matters

• Prevents outages — you can’t renew a certificate you don’t know exists. Discovery finds it before it expires.
• Eliminates blind spots — shadow IT, developer test certs, legacy systems — all become visible
• Compliance — auditors ask “show me all your certificates.” Without discovery, you’re guessing.
• Reduces attack surface — expired or weak certificates are entry points. Discovery identifies them.
• Enables automation — once you have a complete inventory, you can automate renewal and rotation

How it works

1. Network scanning — probe IP ranges and ports (443, 8443, etc.) to find TLS endpoints
2. DNS enumeration — resolve all known domains and subdomains, check each for certificates
3. Cloud API integration — query AWS ACM, Azure Key Vault, GCP Certificate Manager for managed certs
4. Agent-based scanning — lightweight agents on servers report locally-installed certificates
5. CT Log monitoring — watch Certificate Transparency logs for any certificate issued for your domains
6. Inventory consolidation — deduplicate, correlate, and store all findings in a central database

In real systems

Network scanner approach — tools like Nessus, Qualys, or dedicated CLM scanners probe your IP ranges. Fast for known infrastructure, misses cloud-only and ephemeral workloads.

Cloud-native approach — API calls to AWS list-certificates, Azure Get-AzKeyVaultCertificate, GCP Certificate Manager. Catches managed certificates but misses self-signed or manually deployed ones.

Kubernetes — scan all tls Secrets across namespaces, check cert-manager Certificate resources, inspect Ingress annotations. Containers spin up and down — discovery needs to run continuously, not once.

Where it breaks

Point-in-time scanning — running discovery once a quarter misses certificates deployed between scans. In dynamic environments (K8s, serverless), certificates appear and disappear daily. Discovery must be continuous or at minimum daily.

Incomplete scope — scanning only production but ignoring staging, dev, and DR environments. A forgotten staging cert with the same wildcard domain can still cause trust issues or get exploited.

Related topics

• Certificate Management Basics
• Different Phases of Certificate Lifecycle
• Certificate Expiry Checker Tool
• PKI Maturity Assessment

Operational insight

Wildcard certificates (*.example.com) create a false sense of complete coverage. They don’t match multi-level subdomains (api.internal.example.com), and a single wildcard private key compromise exposes every service using that certificate. Discovery tools must flag wildcard reuse across environments — if the same wildcard cert is deployed on 40 servers, that’s 40 systems sharing one key, and one breach away from a full re-issuance event.