Skip to content

Create a Basic Discovery service

Create and run a Basic Discovery service if you want to simply perform a quick certificate discovery inside your company's network. This discovery type uses Venafi's Scanafi utility to let you run manual discoveries.


Basic discovery does not include automated certificate validation. If you want automated certificate validation, create an Enhanced discovery service instead.


Consider the following prerequisites before you create your discovery service.

Scanafi discovers certificates on endpoints that are not reachable from the public internet. You'll need administrator access to an endpoint on which to download, install, and run Scanafi.

What is Scanafi?

Scanafi is a lightweight command line tool that enables you to scan hosts on your internal network for SSL/TLS certificates. Scanafi is available as a single executable file for Windows, Linux, and MacOS operating systems.

Scanafi performs certificate discoveries on port 443 and additional well-known ports via SSL/TLS and STARTTLS handshakes. It also tests for the presence of known vulnerabilities such as DROWN, Heartbleed, logjam, poodle, and poodle TLS.

The primary mode of operation involves sending certificate discovery results to the TLS Protect Cloud Platform over REST API. This communication is over HTTPS TCP Port 443.

Scanafi can operate in two simple modes: online or offline.

  • The online mode involves the automatic transmission of certificate discovery results to the TLS Protect Cloud instance specified in the API call portion of the command line operation. Communication is over HTTPS and authentication credentials (an API token) for TLS Protect Cloud are also required. You can get an API token after successful registration on TLS Protect Cloud.
  • Scanafi is capable of operating in a offline mode. In this mode, all certificate discovery results are logged to a standard text file, in JSON format. This file can then be collected for out-of-band import to TLS Protect Cloud Platform using the TLS Protect Cloud API.

To create a Basic Discovery service

  1. Sign in to Venafi Control Plane.
  2. Click Configurations > Discovery Services.

  3. Click New > Basic Discovery, and then follow the remaining prompts.

What's next?

After you perform a discovery, it's a good idea to then assign certificates to applications.