Skip to content

Discover certificates on machines

Certificate Manager - SaaS enables machine-based discovery, facilitating seamless tracking of certificates already deployed to your machines within your environment. This capability empowers you to identify certificates that have been added or removed from these machines and manage them appropriately.

Note

Please note that this functionality is currently available only on the F5 appliance, the VMware NSX Advanced Load Balancer (AVI), Microsoft IIS, Cloudflare, and Citrix ADC machines.

Before you begin

  • The machine should already be created in Certificate Manager - SaaS. If you have not done this yet, see Create a new machine.
  • The machine must be properly connected. You can use the Test Access button to verify the connection. You will find the Test Access button located under the Access tab.
  • The machine you want to discover should have a "VERIFIED" machine status. You will find the machine status located under the Access tab.
  • If you trigger machine discovery on a machine using the API (rather than the UI), the machine status can be either "UNVERIFIED" or "VERIFIED".

F5 BIG-IP LTM / Microsoft IIS / VMware NSX Advanced Load Balancer (AVI) / Cloudflare / Citrix ADC

To perform a discovery on your machine, please follow the steps outlined below:

  1. Sign in to Venafi Control Plane.
  2. Click Installations > Machines.
  3. Select the F5 BIG-IP LTM, Microsoft IIS, VMware NSX Advanced Load Balancer (AVI), Cloudflare, or Citrix ADC machine name that you want to perform a discovery on.
  4. Make sure the required fields are populated (such as Address/Hostname, Username, and Password).

    Note

    During Discovery the Cloudflare machine will not find certificates where the hostname is a wildcard.

  5. If you would like to set a criteria for discovery, select the Discovery tab, and you can apply filters. The available filters will vary depending on the machine type (F5, IIS, VMware NSX ALB (AVI), Cloudflare, Citrix ADC). Without filters, the discovery will search all resource types, partitions, tenants, CAPI stores, and certificates.

    Refer to the following machine-specific filters for more details.
    • F5:
      • Resource Types to Discover - Virtual Servers, Monitors, or Both.
      • Partitions - Use a comma to separate the list of partition names. Leaving this field empty means all partitions will be included in the discovery.
      • Exclude Expired Certificates - Certificates that have expired.
      • Exclude Inactive Certificates - Certificates not currently in use by an F5 virtual server.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
    • IIS:
      • CAPI Store - Personal, Web Hosting, or Both.
      • Exclude Expired Certificates - Certificates that have expired.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
    • VMware NSX ALB (AVI):
      • Tenants - Use a comma to separate the list of tenant names. Leaving this field empty means all tenants will be included in the discovery.
      • Exclude Expired Certificates - Certificates that have expired.
      • Exclude Inactive Certificates - Certificates not currently in use by an VMware NSX ALB (AVI) virtual server.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
    • Cloudflare:
      • Exclude Expired Certificates - Certificates that have expired.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
    • Citrix ADC:
      • Resource Types to Discover - Virtual Servers, Monitors, or Both.
      • Partitions - Use a comma to separate the list of partition names. Leaving this field empty means all partitions will be included in the discovery.
      • Exclude Expired Certificates - Certificates that have expired.
      • Machine Discovery Schedule - Schedule your discovery daily, weekly, or monthly. Learn more
  6. Click Discover Now.

  7. You will see a message below the machine name that indicates the date and time your discovery was started. You must refresh the page to see if the discovery is completed. This message will update to let you know when the discovery is completed.

    Note

    Discovery will continue to run even if it encounters errors or certificate issues. However, it's important to note that if it encounters 20 or more errors, it will stop. If Discovery fails, review the event logs to gather detailed information and troubleshoot the issue.

  8. Select the Discovery tab to see your discovery results. You will see the following:

    • Total Discovered/Newly Discovered
    • Installations created
    • Installations missing
    • Installations deleted
    • Execution time
    What do these discovery results actually mean?
    • Total Discovered: The number of certificates found during the discovery run, including those found in previous discoveries and any new certificates.
    • Newly Discovered: The number of new certificates found by the discovery run.
    • Installations created: The number of installations created by the discovery run.
    • Installations missing: An installation that was found in the previous discovery is now missing in the current discovery for less than or equal to three days.
    • Installations deleted: An installation found in the "MISSING" state for more than three days will be deleted.
    • Execution time: The amount of time the discovery took to complete.

    Note

    Because of how Cloudflare operates, the connector will attempt to connect to the hosts associated with the certificates in the zones to retrieve them. If the VSatellites cannot resolve or connect to those hostnames, the certificate won't be discovered. If the discovery returns fewer certificates than expected, you can review the VSatellite logs to identify the host you could not connect to.

  9. You can now view the discovered installations by clicking the Installations tab.

    Note

    A few notes about the Installations tab and machine discovery. The "Status" field can have the following states:

    • Discovered: This is either a certificate that did not have an installation yet, was not pushed using Certificate Manager - SaaS, or an existing certificate that was pushed using Certificate Manager - SaaS, in which case the status will change from "Installed" to "Discovered."
    • Missing: An installation that was found in the previous discovery and is now missing in the current discovery for less than or equal to three days.
    • Validated: An installation that was found in the previous discovery and is now found in the current discovery.

    Important

    If discovery finds an installation in a "MISSING" state for more than three days, it will automatically delete the installation.

    Important

    When using Cloudflare it is important to note that Discovery will only discover "Custom" certificates. Discovery will NOT discover "Universal" or "Backup" certificates as these certificates are managed solely via Cloudflare.

Set up Machine Discovery Schedule

  1. In the Certificate Manager - SaaS toolbar, click Installations and select Machines from the drop-down menu.
  2. Select the F5 BIG-IP LTM, Microsoft IIS, VMware NSX Advanced Load Balancer (AVI), Cloudflare, or Citrix ADC machine name that you want to perform a discovery on.
  3. Click the Discovery tab for the machine.
  4. From the CAPI Store drop down, select the certificate store you want the certificate installed in.
  5. Click the Exclude Expired toggle switch toggle to exclude discovery of expired certificates associated with this new machine.
  6. Click the Exclude Inactive toggle switch toggle to exclude discovery of inactive certificates associated with this new machine.
  7. Click the Schedule toggle switch toggle to enable machine discovery scheduling with this new machine.
  8. Under Repeat every, select your desired daily, weekly, or monthly schedule. Then, choose your desired time. !!! note - The Schedule toggle switch toggle must be enabled to configure machine discovery scheduling timeframes. - Current local time is in UTC.