Skip to content

Discovering certificates using Services

The Discovery Services offered in enable you to manage your machine identities by discovering the certificates you have on your machines. Once discovered, adds the certificates to the inventory. After the certificates are in the inventory, will run daily validation scans on the certificates and highlight potential issues that could cause outages.

Two discovery services are available:

  • External discovery service The external discovery service discovers certificates that are in use on endpoints that are outside your firewall. This may include the server that hosts your public website and other publicly available services.

  • Internal discovery service The internal discovery service discovers certificates that are in use on endpoints that are inside your firewall. The internal discovery service requires VSatellites to be installed in your network. We'll walk you through those steps in this procedure.

Using the Services interface

You can access the Services interface by clicking Infrastructure > Services in the menu bar. There are two views available. You can switch between the views by clicking the toggle view button near the top right corner of the screen.

Grid view

This is the default view, and it provides a consolidated list of all the Services you have configured. At a glance, you can view details about your Services.

Master detail view

The master detail view opens a pane that provides more information about the service and the ability to edit the service. With the detail view open, click any service in the left pane, and the details about that service open in the right pane.

Setting up External discovery service

Discovery of external certificates is performed automatically when you add targets to be scanned. You can set the schedule on when the discovery scans should run on the targets. You can also disable the service entirely if you don't need it.

What is a target?

A target represents a specific endpoint or set of endpoints that you want to run certificate discovery on. They can be entered as either domains, FQDNs, IP addresses, or IP address ranges. For external discovery, these should be endpoints outside your firewall.

  1. In the menu bar, click Infrastructure > Services.

  2. If you're in the grid view, click the master detail view button Picture of master detail view button near the top right to switch to the master detail view.

  3. Click External discovery service in the left pane. The service details open on the right.

Setting the discovery schedule

In the Schedule tab, select whether you want the service enabled or disabled. If the service is enabled, you can schedule when you want the service to run.


This schedule also determines when validation on certificates will be run.

Specifying the targets and ports to scan

In the Targets tab, you can specify which external endpoints you want scanned.

To add new targets

In the Targets field, enter the new targets that you want scanned. The field accepts the following:

  • Domain names
  • FQDNs
  • IP addresses
  • IP address ranges


If you have a large number of targets, you can upload a CSV file using the Upload / Import link.

After you've entered the targets, click outside the Targets box, and then click Add. Your targets are added to the Target list.

To remove existing targets

If you have existing targets in the list that you no longer want scanned, click the Remove target icon Picture of remove target button on the right side of the target's row.

To rename the External discovery service

In the Administration tab, enter a new name in the Service name field.

After you've updated the External discovery service, click Save to save your changes.

Set up an internal discovery service

can discover the certificates on machines that are behind your firewall. This is referred to as an internal discovery.

Step 1: Install VSatellites

Follow the documentation on deploying VSatellites to your environment, and then return here to continue.


If VSatellites are new to you, we recommend becoming familiar with them first by reading the overview documentation.

Step 2: Create a new internal discovery service

In the menu bar, click Infrastructure > Services.

In the toolbar, click New. The Add a service wizard opens. Click on a tab below for instructions on completing the wizard. After each step, click Next in the wizard to go to the next step.

  1. From the Select discovery or automation service drop-down, select Internal scan.

  2. Enter a descriptive Service Name for this discovery service.

In the Service enabler box, select the VSatellite that will run this internal discovery service.

  1. In the Target TLS ports field, enter the ports that you want scanned on the targets.

  2. In the Targets field, enter the new targets that you want scanned. The field accepts domain names, FQDNs, IP addresses, and IP address ranges


    If you have a large number of targets, you can upload a CSV file using the Upload / Import link.

For certificate discovery, you'll need to download and install Scanafi on the same machine that you installed VSatellite on in Step 1 above.

Download and install scanafi

  1. If Scanafi isn't already installed on the VSatellite machine, click Download Scanafi > Linux. This downloads the scanafi_linux_64.tgz file, which includes the Scanafi executable.

  2. Copy the scanafi_linux_64.tgz to the VSatellite machine.

  3. Sign in to the VSatellite machine and extract the scanafi_linux_64.tgz file.

    tar -xf scanafi_linux_64.tgz

    Extracting the file adds the scanafi executable.

Run scanafi

  1. In , copy the Linux command provided in the box just beneath the Download Scanafi button.

  2. On the VSatellite machine, run the command from the directory where scanafi is installed.

  3. After the scan completes, return to , and click Done. The discovered certificates are added to the inventory.

Step 3: View discovered certificates and check for validation errors

After discovery is complete, you can view the discovered certificates in Inventory > Certificates. will begin running validation on discovered certificates. See the validation documentation for more information on how validation works and how to resolve errors.