Certificate Authority Scan

AppViewX can communicate with CA and scan certificates. To discover certificates from a CA, the CA account must be determined under the AppViewX inventory settings.
Important:
  • Certificate discovery for CAs that include the integrated gateway functionality will be done in batches of 500 certificates.
  • For the HydrantID CA, the certificate authority scan will discover only active certificates. To discover expired certificates, a rule must be created and applied at the time of triggering the certificate authority scan.

To trigger a certificate authority scan:

  1. Go to (Menu) > CERT+ > CERTIFICATE DISCOVERY > Discovery > Certificate Authority Scan.
    The Discovery : Certificate Authority Scan : Add Discovery page is displayed.
  2. In the Discover Details section, select/enter the following details:
    Table 1. Field descriptions for the Discover Details section
    Field Description
    *Discovery Run Type Click the check box to select the desired discovery run type. The possible types are:
    • On-demand - The user can trigger a discovery manually whenever he/she wants.
    • Schedule - By scheduling the discovery, the user can automate the process for a defined time/ frequency.
    Note: AppViewX will trigger the discovery certificates process for that instance.
    Discovery Instance Name Enter the name of the discovery instance.
    Description Enter the required details in this field.
    Note: Character limit: 2000 characters
    Note: The following fields are displayed only when Discovery Run Type = Scheduled.
    Occurrence Type From the dropdown list, from the following options, select an occurrence frequency:
    • Daily
    • Weekly
    • Monthly
    • Yearly
    *Repeat On
    Note: This field is displayed only when Occurrence Type = Weekly.
    Select the checkbox corresponding to the day of the week on which you want the discovery occurrence to repeat.
    *Starts On Click (Calendar widget) to select a date to start the scheduled discovery.
    *Ends From the following options, select when the scheduled discovery is to end:
    • Never: Discovery never stops.
    • After: Discovery stops after the number of occurrences specified in the text field.
    • On: Discovery stops on the date selected using (Calendar widget).
    Summary Displays a summary of the selections made for scheduled discovery
    *: Mandatory fields
  3. In the Discover By section, enter/select the following details:
    Table 2. Field descriptions for the Discover By section
    Field Description
    *Discovery From From the dropdown list, select the source for certificate discovery.
    *Select CA From the dropdown list, select a CA to view its managed accounts in AppViewX for certificate discovery.
    Note: Starting version 2021.1.0, on selecting the ACM Private CA, the regions configured corresponding to the selected account are listed in the Region field.
    CA accounts table All managed CAs will be listed in the CA accounts table, just after the Select CA field. Select the CAs you want to discover certificates from.

    The CA accounts table has the following option:

    • Add as Favorites: You can mark your frequently used CAs as favorites.
    • All: Select this to see the complete list of CAs (unfiltered).
    • Selected: Select this to list only the selected CAs.
    • Unselected: Select this to list only the unselected CAs.
    • Delete: Delete the required CA(s) from the favorites list.
    Scan Type Scan Type for on-demand discovery:
    • Aggressive: To discover all certificates from the selected CA account, select Aggressive.
    • Optimized: To filter and discover certificates based on a specific discovery parameter, select Optimized.

    Scan Type for scheduled discovery:

    • Aggressive: To discover all certificates from the selected CA account during every scan, select Aggressive.
    • Optimized: To filter and discover only the delta certificates from the selected CA (Account), during every scan, select Optimized.
    Important: For Microsoft CA (standalone and enterprise) configured with the integrated mode, optimized certificate discovery is not supported.
    Discovery Parameters To filter the results of the certificate authority scan, AppViewX lets you select from a list of CA-specific columns/fields, called the discovery parameters.
    Currently, AppViewX supports discovery parameters for the following CAs:
    Include Expired Certificates
    Note: This field is displayed only for the DigiCert and HydrantID, for all scan types and discovery parameters.

    To include expired certificates in the discovery results, select this checkbox.

    By default, expired certificates are not discovered unless specified by the discovery parameters.
    Include Renewed Certofoc
    Note: This field is displayed only for the HydrantID CA, except when Status is one of the selected Discovery Parameters.
    To include renewed certificates in the discovery results, select this checkbox.
    *: Mandatory fields
    Table 3. Discovery Parameters for CSC Global CA
    Field Description
    Discovery Parameters (CSC Global) To filter the results of the certificate authority scan, AppViewX supports the following discovery parameters for CSC Global CA:
    • Certificate Status
    • Certificate Types
    • Certificate Effective Date
    • Certificate Expiration Date
    To filter the discovery of CSC Global CA certificates:
    1. From the dropdown list, select the required discovery parameter(s).
      Note: You can select a combination of discovery parameters. However, only one from the following discovery parameters can be selected:
      • Certificate Effective Date
      • Certificate Expiration Date
      When one of these parameters is selected, the other one is disabled for selection.

      Corresponding to the discovery parameter(s) selected, a text field/dropdown list is displayed.

    2. Enter/select the value(s) for the selected discovery parameter(s).
    *: Mandatory fields
    Table 4. Discovery Parameters for DigiCert CA
    Field Description
    Discovery Parameters (DigiCert CA) To filter the results of the certificate authority scan, AppViewX supports the following discovery parameters for DigiCert CA:
    • None
    • Product Name (multiple values can be selected)
    • Common Name
    • Order ID (multiple values can be selected)
    • Certificate ID
    • Status
    • Domain Name
    • Organization ID (multiple values can be selected)
    • Expires On
    • Certificate Created On (to discover certificates created within the selected date range; the date range must not exceed two years)
    • Expiring Before (to discover certificates expiring before the selected date; discovery does not include certificates expiring on the selected date)
    • Expiring After (to discover certificates expiring after the selected date; discovery does not include certificates expiring on the selected date)
    To filter the discovery of DigiCert CA certificates:
    1. From the dropdown list, select the required discovery parameter.

      Corresponding to the discovery parameter selected, a text field/dropdown list is displayed.

    2. Enter/select the value for the selected discovery parameter.
    *: Mandatory fields
    Table 5. Discovery Parameters for Entrust CA
    Field Description
    Discovery Parameters (Entrust CA) To filter the results of the certificate authority scan, AppViewX supports the following discovery parameters for Entrust CA: certificate status and certificate type

    To filter the outcome of the certificate authority discovery for Entrust CA, from the Discovery Parameters dropdown list, select the parameter(s).

    Important: The discovery parameters specified in the subsequent fields will take precedence over the Associate Rule specified in the Discovery Rules section.
    Important: If the certificates discovered basis the discovery parameters have associated root and/or intermediate certificates, those certificates will also be included in the results, irrespective of their type and status.
    Certificate Status This field is displayed only when Select CA = Entrust and Discovery Parameters = Certificate Status.

    To filter the certificate authority discovery for Entrust CA based on the certificate status, from this dropdown menu, select the required status value(s).

    Important: When Certificate Status = Declined, Pending, the discovery will return no certificates, since in both these events (when a certificate enrollment is declined or is pending), the end entity certificate has not been created.
    Certificate Type This field is displayed only when Select CA = Entrust and Discovery Parameters = Certificate Types.

    To filter the certificate authority discovery for Entrust CA based on the certificate type, from this dropdown menu, select the required type(s).
    *: Mandatory fields
    Table 6. Discovery Parameters for HydrantID CA
    Field Description
    Discovery Parameters (HydrantID CA) To filter the results of the certificate authority scan, AppViewX supports the following discovery parameters for HydrantID CA:
    • Certificate Types
    • Created From
    • Updated From
    • Not Before
    • Not After
    • Common Name
    • Serial Number
    • Status
    • Owner
    • Account
    • Organization
    From the dropdown list, select the required discovery parameter.
    *Certificate Types This field is displayed when Certificate Types is one of the selected Discovery Parameters.

    To filter the certificate authority discovery for HydrantID CA based on the certificate types, from this dropdown menu, select a certificate type based on the required certificate characteristics and use cases.
    *Created From This field is displayed when Created From is one of the selected Discovery Parameters.

    To filter discovery results based on the certificates' initial creation date, use the (calendar) widget to select the required date.

    The discovery results are then filtered to include only those certificates that were created between the selected date and the current date.

    Example: If the selected date is 2022-04-07, then the discovery results will include only those certificates that were created between 2022-04-07 and the current date.

    Important: The maximum allowed date range is three years from the current date.
    *Updated From This field is displayed when Updated From is one of the selected Discovery Parameters.

    To filter discovery results based on the most recent certificate update date, use the (calendar) widget to select the required date.

    The discovery results are then filtered to include only those certificates that were updated between the selected date and the current date.

    Example: If the selected date is 2022-04-07, then the discovery results will include only those certificates that were updated between 2022-04-07 and the current date.

    Important: The maximum allowed date range is three years from the current date.
    Not Before This field is displayed when Not Before is one of the selected Discovery Parameters.

    To filter discover results based on when a certificate's validity period begins, use the (calendar) widget to select the required date.

    The discovery results are filtered to include only those certificates that become valid after the selected date, which means the certificates are not valid before the selected date.
    Not After This field is displayed when Not After is one of the selected Discovery Parameters.

    To filter discovery results based on when a certificate's validity period ends, use the (calendar) widget to select the required date.

    The discovery results are filtered to include only those certificates that are not valid after the selected date.
    *Common Name This field is displayed when Common Name is one of the selected Discovery Parameters.

    To filter certificates based on a specific common name, enter the required common name in this field.
    *Serial Number This field is displayed when Serial Number is one of the selected Discovery Paramters.

    To filter certificates based on the unique identifier assigned to them by the issuing Certificate Authority (CA), enter the required serial number in this field.
    *Status This field is displayed when Status is one the selected Discovery Parameters.

    To filter certificates based on their current status, from the dropdown list, select the required status value.
    *Owner This field is displayed when Owner is one of the selected Discovery Parameters.

    To filter discovery results based on the designated owner responsible for managing the certificates, enter the required owner name in this field.
    *Account This field is displayed when Account is one of the selected Discovery Parameters.

    To filter discovery results based on the user account associated with a certificate, enter the required account name in this field.
    *Organization This field is displayed when Organization is one of the selected Discovery Parameters.

    To filter discovery results based on the organization, enter the required organization name in this field.

    An organization is the entity to which a certificate is issued and which is used to validate the ownership and authenticity of the certificate.
    *: Mandatory fields
    Table 7. Discovery Parameters for Microsoft CA
    Field Description
    Discovery Parameters (Microsoft CA) To filter the results of the certificate authority scan, AppViewX supports the following discovery parameters for Microsoft CA:
    • Requester Name
    • Certificate Template
    • Common Name
    • Certificate Effective Date
    • Certificate Expiration Date
    • Time Range
    To filter the discovery of Microsoft CA certificates:
    1. From the dropdown list, select the required discovery parameter(s).
      Note: You can select a combination of discovery parameters. However, only one from the following discovery parameters can be selected:
      • Certificate Effective Date
      • Certificate Expiration Date
      • Time Range
      When one of these three parameters is selected, the other two are disabled for selection.
      Corresponding to the discovery parameter(s) selected, a text field/dropdown list is displayed.
    2. Enter/select the value(s) for the selected discovery parameter(s).
    *: Mandatory fields
    Table 8. Discovery Parameters for Sectigo CA
    Field Description
    Discovery Parameters (Sectigo CA) To filter the results of the certificate authority scan, AppViewX supports the following discovery parameters for Sectigo CA:
    • Start Date
    • End Date
    Using these parameters, you can specify a date range to discover only those certificates that were issued between the specified start and end dates.
    *: Mandatory fields
  4. In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
    A set of filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.
  5. In the After Discover section, enter/select the following details:
    Table 9. Field descriptions for the After Discover section
    Field Description
    *Move Certificate to Inventory with Status Select from one of the following options:
    • Do not move: The newly discovered certificates and their objects will not be moved to the inventory.
    • Managed: The newly discovered certificates and their objects will be moved to the inventory with the status set to Managed.
    • Monitored: The newly discovered certificates and their objects will be moved to the inventory with the status set to Monitored.
    Note: If the discovered certificate already exists in the inventory, its objects will be moved with the same status.
    Use Access Control Rule To apply the rule configured using Access Control, select this checkbox.
    Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
    *Certificate Group From the dropdown list, select a certificate group to which the discovered certificates will be associated.

    Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.

    *: Mandatory fields
  6. Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.
    Note:
    • For EJBCA

      The revoked certificates are not discovered. On discovery, the end certificates are discovered based on the days configured in the CA settings, the expired certificates are always discovered. The expiry days calculate from 0 - given value, for example, 0 -1500. On discovery, all the root and intermediate certificates that expire before 100 years will be discovered along with the end certificates by default. The discovered certificate count cannot be validated against the certificates present in the CA.

    • For Hydrant ID CA

      Starting v2024.0.2.0, the triggered discovery instance will also fetch the expiry email addresses specified for the Hydrant ID CA certificates.

      For existing certificates that are not yet updated for this detail, triggering a new discovery instance will fetch the details and the discovery details will be automatically updated when the inventory status is moved to Managed state.