Onboarding Journey

As part of the onboarding process, you have the capability to perform both Public CA Scans and Private CA Scans. These certificate discovery scans play a crucial role in identifying and analyzing digital certificates within your organization. By regularly conducting these scans, organizations can maintain an up-to-date record of their certificates, ensuring that all digital certificates, both public and private, are accurately inventoried and tracked. This facilitates efficient certificate management, including renewal, replacement, and revocation processes. Additionally, these scans help in proactively identifying and addressing any security concerns, such as expired, misconfigured, or vulnerable certificates, before they lead to potential breaches or disruptions.

These scans allow for the identification of high-risk, critical-risk, and non-standard certificates, providing the necessary insights to remediate these issues, thereby improving the overall crypto score and strengthening the organization's security posture. By leveraging these discovery scans, organizations can maintain robust certificate management practices, enhance their security measures, and ensure compliance with relevant regulations, ultimately safeguarding their digital infrastructure and data.

Freemium or New Customers to Initiate the Onboarding Process

  • Click the What's Next button in the welcome banner that appears on the Insights > Summary section. For more details about Insights Summary, refer to Insights Summary section.
    Note:
    • The Certificate Transparency (CT) Log Scan is a background process in the CERT+ application that continuously monitors and fetches certificate data from Certificate Transparency logs. This scan helps in identifying and managing certificates by bringing the results directly to the Insights Summary page, providing users with real-time visibility into their certificate landscape.
    • If the CT Log Scan encounters issues such as a network outage or other disruptions that prevent it from completing its task, the application detects the failure. To ensure users are aware of the issue and to guide them through alternative steps, the application triggers a Let's Get Onboarded pop-up window.
  • (or) The Let's Get Onboarded pop-up window appears in the Insights > Summary tab.
    Note: Once the certificate discovery process is complete, the welcome banner will disappear.
  • Click the Discover Certificates button from the pop-up window.
    The Cert+ onboarding > Certificate Discovery Scans page is displayed.
    Note: Initially, only popular scans Public CA Scan or Private CA Scan will be enabled. More scans will become available once you try one of the popular scans.

Existing Customers to Initiate the Onboarding Process

  • Click the Quick Discovery button that appears on the Insights > Summary section. For more details about Insights Summary, refer to Insights Summary section.
    Note: The Certificate Transparency (CT) Log Scan is a background process in the CERT+ application that continuously monitors and fetches certificate data from CT logs. This scan helps in identifying and managing certificates by bringing the results directly to the Insights Summary page, providing users with real-time visibility into their certificate landscape.

    The Cert+ onboarding > Certificate Discovery Scans page is displayed.

    Note: Initially, only popular scans Public CA Scan or Private CA Scan will be enabled. More scans will become available once you try one of the popular scans.

Public CA Scan

A public CA is a third-party organization that issues certificates for a fee after performing required checks on the requesting organization. These checks typically include domain validation. Public CAs use their own public-private key pairs to sign the certificates.

As part of the onboarding process, you can perform Public CA Scans targeting certificates issued by public Certificate Authorities (CAs) such as DigiCert and Entrust. These scans identify and analyze digital certificates within your organization's infrastructure, ensuring a complete inventory, timely renewal, security compliance, and proactive vulnerability remediation. They analyze certificate configurations, highlight high-risk, critical-risk, and non-standard certificates, and maintain detailed records. By leveraging these scans, organizations can effectively manage their certificates, ensure security and compliance, and safeguard their digital infrastructure while maintaining stakeholder trust.

DigiCert CA Scan

Prerequisites
  • Make sure that you have DigiCert API key.
  • To obtain the DigiCert API key, follow the instructions provided on the Prerequisites Public Scan page.
    1. In the Public Scan section, click Run.

      The Prerequisites Public Scan page is displayed.

    2. Click DigiCert from the Vendors left menu.
      Note: Complete the instructions provided on the Prerequisites Public Scan page.
    3. Click Close to return to the Cert+ onboarding page.

For the DigiCert CA discovery scan, follow these steps.

  1. In the Discovery Details section,
    1. Enter the Discovery Instance Name in the field.
      Note: The instance name can be any friendly name to the scan configuration.
    2. Click the required radio button for the discovery configuration.
      The available Discovery configuration options are,
      • Certificate expiring within 90 days: By configuring the certificate expiring within 90 days feature, the discovery scan and monitoring will happen faster, allowing organizations to efficiently manage their digital certificates and ensure strong security and smooth operations.
      • Discover all certificates: By configuring the Discover all certificates feature, the discovery scan might take longer depending on the certificate volume, with the time varying based on the number of certificates.
      Note: By default, the Certificates expiring within 90 days radio button is enabled.
  2. In the CA Details section,
    1. Select the Certificate Authority as DigiCert from the dropdown list.
    2. In the Digicert API Key field, enter the API key.
  3. Click the Test Connection button.
  4. Click the Discover Now button.

Entrust CA Scan

Prerequisites
  • Client Authentication Certificate
  • API username (username)
  • API key (password) with CLM action access
  • To obtain the Entrust prerequisites, follow the instructions provided on the Prerequisites Public Scan page.
    1. In the Public Scan section, click Run.

      The Prerequisites Public Scan page is displayed.

    2. Click Entrust from the Vendors left menu.
      Note: Complete the instructions provided on the Prerequisites Public Scan page.
    3. Click Close to return to the Cert+ onboarding page.

For the Entrust CA discovery scan, follow these steps.

  1. In the Discovery Details section,
    1. Enter the Discovery Instance Name in the field.
      Note: The instance name can be any friendly name to the scan configuration.
    2. Click the required radio button for the discovery configuration.
      The available Discovery configuration options are,
      • Certificate expiring within 90 days: By configuring the certificate expiring within 90 days feature, the discovery scan and monitoring will happen faster, allowing organizations to efficiently manage their digital certificates and ensure strong security and smooth operations.
      • Discover all certificates: By configuring the Discover all certificates feature, the discovery scan might take longer depending on the certificate volume, with the time varying based on the number of certificates.
        Note: By default, the Certificates expiring within 90 days radio button is enabled.
  2. In the CA Details section,
    1. Select the Certificate Authority as Entrust from the dropdown list.
    2. Click the Browser button to upload the client authentication. Allowed formats are <.pfx> or <.p12>.
    3. Enter the API username to communicate with CA in its field.
    4. Enter the API password to communicate with CA in its field.
  3. Click the Discover Now button.
  4. Click the Test Connection button.

Private CA Scan

When an organization creates its own local CA instead of using an external one, it is referred to as a private CA. In this case, the certificates are signed with the private key of the organization’s root certificate, which is the primary certificate used to sign other certificates. Private CAs can be established to issue certificates for an organization’s internal network, where discretion is required and only a select group of users are involved.

As part of the onboarding process, you can perform Private CA Scans targeting certificates issued by private Certificate Authorities (CAs) such as Microsoft. These scans analyze and identify digital certificates across your organization, ensuring a thorough inventory, timely renewal, security compliance, and proactive vulnerability management. They assess certificate configurations, flag high-risk, critical-risk, and non-standard certificates, and maintain comprehensive records. By utilizing these scans, organizations can efficiently manage certificates, uphold security standards, protect digital infrastructure, and maintain stakeholder trust.

Microsoft CA Scan

Prerequisites
  • Cloud Connector: Install on a Linux system with minimum requirements: 4CPU, 8GB.
  • Command Execution Host: A Windows system attached to the Microsoft CA for cloud connector connection and scan execution.
  • Username/Password: Credentials for accessing the command execution host.
  • CA Machine Host Name: Automatically populated based on the selected CA.
Note: Use IP if hostname resolution fails from cloud connector.

For the Microsoft CA discovery scan, follow these steps.

  1. In the Discovery Details section,
    1. Enter the Discovery Instance Name in the field.
      Note: The instance name can be any friendly name to the scan configuration.
  2. In the Connectivity section, click the Cloud Connector dropdown menu.
  3. Click the +Add New button.

    The Cloud Connector Setup page is displayed. For more details, refer Cloud Connector User Guide.

    The cloud connector (CC) can be connected with private CA in two ways.

    • Automated
    • Manual.
    Note: By default, the Automated tab is selected.
    For the automated CC connection with private CA, follow these steps.
    1. Run the below command on the specified server to setup the cloud connector or download and execute the installer script. 
      curl -k 'https://ftp-3-cc.appvx.com:443/download-installer-script'|bash
    2. When requested, provide the below master key for authentication and integrity verification during installation.
      22f77628-51c6-4209-b59f-3c91f859ea63
    3. Once the cloud connector is successfully installed, proceed to approve it in the cloud connector inventor.
    4. Click Cloud Connector Inventory.

      The Setting Cloud Connector page is displayed.

    5. Click Close.
    (or) For the Manual CC connection with private CA, follow these steps.
    1. Click Get Started.

      The Basic Information page is displayed. For more details, refer Cloud Connector User Guide.

      1. Select the desired Installation Type radio button.
        • Native OS
        • Virtual Image.
      2. Enter the Cloud Connector Name (FQDN) in the field.
    2. Click Next.

      The Assign Data Center page is displayed.

      1. Click Add Data Center.

        The Add Data Center page is displayed.

      2. Enter the name of the data center in the field.
    3. Click Next.

      The Advanced Configuration page is displayed.

      1. Select the TLS Authentication radio as required.
      Table 1.
      Field Description
      *TLS Authentication The available TLS Authentications are:
      • Auto Generate
      • Custom Certificate
      By default, Auto Generate is selected.
      *TLS Certificate Password Enter the TLS certificate's password.
      *TLS Certificate Upload TLS certificate in the <.p12> format.
      *: Mandatory fields
    4. Select the Use Proxy check box if required.
    5. Select the proxy from the dropdown list.
      1. If not listed in the dropdown menu, click Click here link.

        The Add Proxy page is displayed.

      2. Enter/select the following details Proxy Name, Server IP, Port, URL, Authentication, Username, and Password in the Add Proxy page
      3. Click Save.
  4. Click Finish.
  5. Click the Test Connection button, to validate the connection.
  6. Click the Discover Now button.