Tenable Certificate Discovery Workflow

With v2025.0.0.0, AppViewX packages the Tenable Certificate Discovery Workflows into its Out-Of-the-Box (OOB) workflows so customers can import discovered certificates avoiding the additional overheads associated with a complete network discovery scan.
Based on the deployment type, the following Tenable workflows are now packaged as OOB workflows in AppViewX:
  • Tenable IO Certificate Discovery (for the SaaS deployment)
  • Tenable Certificate Discovery (for the on-prem deployment)
Although the APIs used differ between the deployments, the general functionality of the workflows remains the same.

Prerequisites

Ensure that Tenable is integrated with AppViewX with the following configuration settings:
  1. Go to (Menu) > Automation > Workflow > Integration.
    The Workflow > Integration page is displayed.
  2. Use the Search field to search for Tenable and click the Tenable card in the search results displayed.
    The Workflow > Integration > Vendor Configuration page is displayed.
  3. On the Workflow > Integration > Vendor Configuration page, enter/select the required configuration details.
  4. Under the Credentials section, ensure that you:
    1. From the Auth Type dropdown list, select Basic Auth.
    2. From the Credential Type dropdown list, select Manual Entry.
    3. In the Username field, enter your Tenable access key.
    4. In the Password field, enter your Tenable secret key.
    To refer to the Tenable documentation on how to retrieve the prerequisite values required, click here.

Initiating and Running the Workflow

  1. Go to (Menu) > Automation > View/Run.
    The Request :: View/Run page is displayed. This page is the complete Catalog of the custom and OOB workflows packaged in AppViewX.
  2. In the Search by Workflow, Category, Tags… field, enter the complete workflow name or a keyword to search the workflow.
  3. From the search results displayed, click the corresponding search result card.
  4. For the required workflow, click Run.
    Note: The Tenable Certificate Discovery workflow is meant for on-prem deployments, while the Tenable IO Certificate Discovery is for SaaS deployments. Select a workflow based on your deployment.
  5. Enter/Select the User Inputs.
    Table 1. Discovery run type options
    Field Description
    *Info Enter descriptive details related to the workflow execution, such as prerequisites, expected inputs and outcomes, and general hints related to the workflow.
    *Certificate Group From the dropdown list, select the certificate group that the discovered certificates will be assigned to.
    *Tenable Instance Name Enter the Tenable integration instance name that was specified at the time of integrating Tenable with AppViewX.
    *Plugin ID Enter the SSL certificate plugin ID, which is responsible for certificate discovery and storage in Tenable.
    *Certificate Status For the discovered certificates, select one from the following options:
    • Managed: The discovered certificates and their objects will be moved to the inventory with the status set to Managed. Managed certificates are a fully-managed asset; AppViewX managed the entire lifecycle of the discovered certificates.
    • Monitored: The discovered certificates and their objects will be moved to the inventory with the status set to Monitored. Monitored certificates are only tracked and observed; AppViewX does not actively manage them.
    *Include Expired Certificates To include expired certificates in the discovery results, select Yes.
    *: Mandatory fields
  6. Click Submit.
  7. In the Confirmation dialog box, click Ok.
    The workflow trigger request is submitted and AppViewX initiates API calls to Tenable to retrieve the discovered certificates from the Tenable database.

    In the left pane, the operations performed by AppViewX as part of the discovery data retrieval process (such as component initialization for communication with Tenable, gather credentials, and so on) are listed as they are performed.

    To uniquely identify certificates discovered from the Tenable source, for each imported certificate, the workflow updates the following metadata:
    Table 2. Discovery run type options
    Attribute Name Attribute Key Description
    Tenable IP Address tenable_ip_address IP address where the certificate was discovered
    Port tenable_port Port associated with the certificate
    First Seen tenable_first_seen Date and time when the certificate was first discovered by Tenable
    Last Seen tenable_last_seen Date and time when the certificate was last rediscovered by Tenable
    DNS tenable_dns DNS name associated with the certificate
    OS tenable_os Operating system installed on the server on which the certificate was discovered
    Tenable Source tenable_source Unique identifier to indicate that the certificate was imported from a Tenable source
    For instructions on configuring certificate attributes, see Configuring Certificate Attributes.

    Once AppViewX has all the information required to proceed, it initiates an API call to export the list of vulnerabilities.

    The discovered certificates are added to the AppViewX CERT+ certificate inventory, along with the above explained metadata.

    If a certificate is discovered at more than one IP address, the metadata certificate attribute values for each source are separated by a pipe, as shown in the image below:

    Note: For certificates listed in the Tenable scan results that have already been discovered by AppViewX, the Tenable attributes listed above are updated except the discovery source, which will retain its original value.
  8. To view the certificate inventory, go to (Menu) > CERT+ > CERTIFICATE INVENTORY > Server.
    The Server Certificate invnetory is displayed.

Scheduling a Workflow

  1. Go to (Menu) > Automation > View/Run.
    The Request :: View/Run page is displayed. This page is the complete Catalog of the custom and OOB workflows packaged in AppViewX.
  2. In the Search by Workflow, Category, Tags… field, enter the complete workflow name or a keyword to search the workflow.
  3. From the search results displayed, click the corresponding search result card.
  4. For the required workflow, click Schedule.
  5. In the Information section, enter a name for the workflow schedule and an optional description, if required.
  6. Click Save & Continue.
  7. Review the user inputs and modify them, if and as required.
  8. Click Save & Continue.
  9. In the Schedule section:
    1. To schedule the workflow for just one execution, under the Once tab, use the (Calendar) widget in the Starts on field to set a date and time for the workflow execution.
    2. After setting the required date and time for the workflow execution, click Done in the Calendar widget.
    OR
    1. To repeatedly trigger the workflow, under the Repeat tab, use the (Calendar) widget in the Starts on field to set a date and time for the workflow execution.
    2. From the Occurrence type field, from the following options, select how frequently the scheduled task should repeat:
      • Minutes
      • Hours
      • Days
      • Week
      • Month
      • Year
    3. From the Ends field, from the following options, select when the scheduled workflow execution should end:
      • Never: Workflow execution should never end.
      • After: Workflow execution should end after the number of occurrences specified in the Occurrences field.
      • On: Workflow execution should end on the date and time specified using the calendar widget.
  10. Click Schedule.
    The workflow is now automatically executed according to the specified schedule and the discovery results are updated in the CERT+ certificate inventory.