Skip to content

Set up a Basic Discovery service

Use Basic Discovery to manually find certificates within your internal network using the Venafi Scanafi utility.

Tip

Basic Discovery does not include automated certificate validation. To include validation, create an Enhanced Discovery service.

Prerequisites

Ensure you have the following before creating the service:

  • Administrative access to an internal endpoint (Windows, Linux, or macOS).
  • Scanafi Credentials: A Scanafi Service Account Private Key or Client ID. These are generated after creating a Scanafi Service Account. For instructions, see Create a Scanafi service account.
What is Scanafi?

Scanafi is a lightweight, command-line executable that scans internal network hosts for SSL/TLS certificates. It performs discoveries on port 443 and other common ports via SSL/TLS and STARTTLS handshakes.

The utility supports two modes:

  • Online mode (Standard): Automatically transmits discovery results to Certificate Manager - SaaS via REST API.
  • Offline mode: Logs results to a local JSON file for manual import to the Certificate Manager - SaaS Platform later.

Create a Basic Discovery service

  1. Sign in to Certificate Manager - SaaS.

  2. Click Configurations > Discovery Services.

  3. Click New > Basic Discovery.

  4. Enter a unique Service name.
  5. Enter a Port Number or a range of ports to scan.
  6. Enter your Targets using IP addresses or fully qualified domain names (FQDNs):
    • Manual: Type the address and click Add.
    • Bulk: Click Import to upload a .csv file.
  7. Click Create Service.

Download and run Scanafi

After creating the service, run the utility on your local endpoint.

  1. In the Download Scanafi section, select your operating system: Windows PowerShell, macOS, or Linux.
  2. Copy and run the Download and Unzip command in your terminal.
  3. After downloading and installing, authenticate and run Scanafi using one of the following options:
    • Execute with Service Account: Copy and run the command, replacing the <CLIENT_ID> placeholder with the Client ID from your Scanafi Service Account.
    • Execute with API Token: Copy and run the command, replacing the placeholder with the Private Key from your Scanafi Service Account.

What's next?

After successfully discovering certificates, assign them to applications to begin managing their lifecycle.