Skip to content

Discover certificates on machines

TLS Protect Cloud enables machine-based discovery, facilitating seamless tracking of certificates already deployed to your machines within your environment. This capability empowers you to identify certificates that have been added or removed from these machines and manage them appropriately.

Note

Please note that this functionality is currently available only on the F5 appliance, the VMware NSX Advanced Load Balancer (AVI), Microsoft IIS, and Cloudflare machines.

Before you begin

  • The machine should already be created in TLS Protect Cloud. If you have not done this yet, see Create a new machine.
  • The machine must be properly connected. You can use the Test Access button to verify the connection. You will find the Test Access button located under the Access tab.
  • The machine you want to discover should have a "VERIFIED" machine status. You will find the machine status located under the Access tab.
  • If you trigger machine discovery on a machine using the API (rather than the UI), the machine status can be either "UNVERIFIED" or "VERIFIED".

F5 BIG-IP LTM / Microsoft IIS / VMware NSX Advanced Load Balancer (AVI) / Cloudflare

To perform a discovery on your machine, please follow the steps outlined below:

  1. Sign in to Venafi Control Plane.
  2. Click Installations > Machines.
  3. Select the F5 BIG-IP LTM, Microsoft IIS, VMware NSX Advanced Load Balancer (AVI), or Cloudflare machine name that you want to perform a discovery on.

  4. Make sure the required fields are populated (such as Address/Hostname, Username, and Password).

    Note

    During Discovery the Cloudflare machine will not find certificates where the hostname is a wildcard.

  5. If you would like to set a criteria for discovery, select the Discovery tab, and you can apply filters. The available filters will vary depending on the machine type (F5, IIS, VMware NSX ALB (AVI), Cloudflare). Without filters, the discovery will search all resource types, partitions, tenants, CAPI stores, and certificates.

    Refer to the following machine-specific filters for more details.
    • F5:
      • Resource Types to Discover - Virtual Servers, Monitors, or Both.
      • Partitions - Use a comma to separate the list of partition names. Leaving this field empty means all partitions will be included in the discovery.
      • Exclude Expired Certificates - Certificates that have expired.
      • Exclude Inactive Certificates - Certificates not currently in use by an F5 virtual server.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
    • IIS:
      • CAPI Store - Personal, Web Hosting, or Both.
      • Exclude Expired Certificates - Certificates that have expired.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
    • VMware NSX ALB (AVI):
      • Tenants - Use a comma to separate the list of tenant names. Leaving this field empty means all tenants will be included in the discovery.
      • Exclude Expired Certificates - Certificates that have expired.
      • Exclude Inactive Certificates - Certificates not currently in use by an VMware NSX ALB (AVI) virtual server.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
    • Cloudflare:
      • Exclude Expired Certificates - Certificates that have expired.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more

  6. Click Discover Now.

  7. You will see a message below the machine name that indicates the date and time your discovery was started. You must refresh the page to see if the discovery is completed. This message will update to let you know when the discovery is completed.

    Note

    Discovery will continue to run even if it encounters errors or certificate issues. However, it's important to note that if it encounters 20 or more errors, it will stop. If Discovery fails, review the event logs to gather detailed information and troubleshoot the issue.

  8. Select the Discovery tab to see your discovery results. You will see the following:

    • Total Discovered/Newly Discovered
    • Installations created
    • Installations missing
    • Installations deleted
    • Execution time
    What do these discovery results actually mean?
    • Total Discovered: The number of certificates found during the discovery run, including those found in previous discoveries and any new certificates.
    • Newly Discovered: The number of new certificates found by the discovery run.
    • Installations created: The number of installations created by the discovery run.
    • Installations missing: An installation that was found in the previous discovery is now missing in the current discovery for less than or equal to three days.
    • Installations deleted: An installation found in the "MISSING" state for more than three days will be deleted.
    • Execution time: The amount of time the discovery took to complete.

    Note

    Because of how Cloudflare operates, the connector will attempt to connect to the hosts associated with the certificates in the zones to retrieve them. If the VSatellites cannot resolve or connect to those hostnames, the certificate won't be discovered. If the discovery returns fewer certificates than expected, you can review the VSatellite logs to identify the host you could not connect to.

  9. You can now view the discovered installations by clicking the Installations tab.

    Note

    A few notes about the Installations tab and machine discovery. The "Status" field can have the following states:

    • Discovered: This is either a certificate that did not have an installation yet, was not pushed using TLS Protect Cloud, or an existing certificate that was pushed using TLS Protect Cloud, in which case the status will change from "Installed" to "Discovered."
    • Missing: An installation that was found in the previous discovery and is now missing in the current discovery for less than or equal to three days.
    • Validated: An installation that was found in the previous discovery and is now found in the current discovery.

    Important

    If discovery finds an installation in a "MISSING" state for more than three days, it will automatically delete the installation.

    Important

    When using Cloudflare it is important to note that Discovery will only discover "Custom" certificates. Discovery will NOT discover "Universal" or "Backup" certificates as these certificates are managed solely via Cloudflare.

Set up Machine Discovery Schedule

  1. In the TLS Protect Cloud toolbar, click Installations and select Machines from the drop-down menu.
  2. Select the F5 BIG-IP LTM, Microsoft IIS, VMware NSX Advanced Load Balancer (AVI), or Cloudflare machine name that you want to perform a discovery on.
  3. Click the Discovery tab for the machine.
  4. Scroll to the bottom of the page and activate the Machine Discovery Schedule by clicking toggle the toggle switch to turn it on.
  5. Under Repeat every, select your desired daily, weekly, or monthly schedule. Then, choose your desired time.
  6. Click Save.

Note

Current local time is in UTC.