Skip to content

Overview: certificate discovery

Where are the machines located that you want to protect? Are they inside of your organization's firewall (private), or are they out on the Internet (public-facing)?

Because server certificates are used both within private networks and out on the Internet, discovering and managing them requires a secure and flexible approach called discovery services.

There are three types of discovery services: Basic, Enhanced, and Internet.

Which service you choose depends on your needs.

  • Basic Discovery is a great option if you want to simply perform a quick certificate discovery inside your company's network that doesn't include automated validation.

    This discovery service type works together with Venafi's Scanafi utility to let you run manual discoveries. See Discovering private (internal) certificates.

  • Enhanced Discovery searches for certificates inside of your company's network according to a schedule (optional), and validates discovered certificates automatically.

    This discovery service uses Venafi VSatellite to run certificate discoveries according to a fixed schedule (optional) and performs validation for you (after they are added to the certificates inventory). This service is included in TLS Protect Cloud premium packages by default. See Discover private (internal) certificates.

  • Internet Discovery is a great option if you want to discover and protect certificates external to your company's private network.

    This service is created for you by default. But of course you can edit its name, add or remove targets, and change its discovery schedule. See Discover public (external) certificates.

  • Kubernetes Discovery employs a simple-to-use wizard to connect your Kubernetes clusters to Venafi Control Plane (Installations > Kubernetes Clusters). See Connecting a Kubernetes cluster.

    Venafi Control Plane installs a Venafi Kubernetes Agent on your cluster, which reports data on the cluster and any related certificates. The information collected is then viewable in the Venafi Control Plane UI on the Installations > Kubernetes Clusters page. See Viewing Kubernetes cluster information.

Following certificate discovery, TLS Protect Cloud adds all discovered certificates to the certificates inventory (Inventory > Certificates). After the certificates are in the inventory, TLS Protect Cloud can run daily validations on them and highlight potential issues that could cause outages.