Discover Certificates

Discover Certificates is designed to discover and monitor all your SSL/TLS certificates, regardless of the issuing Certificate Authority (CA). It features the unique emSign Bot, capable of operating within isolated networks and protected environments to scan and gather certificate details. Scans are conducted according to predefined settings, and the results are automatically displayed on the portal interface.

Enterprise users can view the discovered certificates along with the servers where they are deployed. The Hub interface allows users to track emSign Bot scans, providing details on the last completed scan and the next scheduled scan. Users can also initiate manual, ad-hoc scans directly from the interface. The emSign platform simplifies certificate management, whether the organization handles a few certificates or thousands.

Key Features

• Discovery Dashboard: Provides a comprehensive overview of certificates issued via emSign and those detected by emSign Bot scans.

• Certificate Results: Displays the total number of scanned certificates from various emSign bots.

• My emSign Bots: Lists all emSign bots associated with the account for easy monitoring and management.

• Download emSign Bot: Access and download available emSign bots directly from the platform.

Monitor Certificate Results

The Certificate Results feature allows users to view all certificates discovered by emSign Bots. To access this page, navigate to Certificates > Discover Certificates. Upon clicking Discover Certificates, the results page will display a list of certificates, showing their Common Name (CN) or Subject Alternative Names (SANs).

Certificates Discovered via Bot

All certificates identified through emSign Bots are displayed on this screen. Users can apply filters to refine the list using Common Name (CN) or SAN.

By clicking Advanced Search, users can filter the certificate results based on:

• Date Range

• Location (Server/Port)

• Issuer CA

• Certificate Type

• Expiration Date (e.g., certificates expiring within a specified period)

Certificate Details

Clicking on a CN/SAN value navigates to the Certificate Results View page, which provides the following information:

• Certificate Info & Validity

• Authority Information Access (AIA) details

• Issuer CA information

• Additional Information

Quick Actions

Account users can utilize certificate quick actions from this view, enabling fast and efficient management of discovered certificates.

Download Discovered Certificate

Navigate to Discover Certificates.

Click on the relevant Domain hyperlink to open the Certificate Results page.

Click the “Download Certificate" button.

A download dialog will appear, allowing you to proceed with the download as shown below.

The certificate will be downloaded successfully.

How to scan for vulnerabilities

• After the discovery scan is complete, for all the certificates listed, in the table under Actions column Scan Vulnerabilities icon is present

• Click on Scan Vulnerabilities icon, vulnerability result popup is displayed with the Certificate status.

• Based on the status of the certificate further actions can be decided.

Download Discovered Certificate

Go to Discover Certificates.

• Click on the relevant Domain hyperlink to open the Certificate Results page.

• Click the "Download Certificate" button.

• A download dialog will appear, allowing you to proceed with the download as shown below.

• The certificate will be downloaded successfully.

Configure Scan Targets

Setting up scan targets involves specifying the locations, systems, or assets that automated bots will scan to identify and assess digital certificates. This ensures that certificates across your infrastructure are valid, up-to-date, and correctly configured. The scan targets define which servers, applications, or networks will be monitored.

Scan targets can be configured through the following methods:

• SSL: Monitor SSL/TLS certificates for expiration, configuration, and compliance.

• HSM (Hardware Security Module): Scan and verify certificates stored within HSMs.

• LDAP (Lightweight Directory Access Protocol): Monitor certificates in LDAP-based directories for validity and usage.

• Certificate Store: Scan certificates stored within system or application certificate stores.

• Cloud Providers: Identify and monitor certificates deployed across cloud environments.

• File System: Monitor certificates stored in file directories for configuration and expiration.

• SSH: Scan SSH keys and certificates to ensure secure access configurations.

SSL/TLS

To scan certificates from the server, the account administrator must provide one of the following:

• FQDN (Fully Qualified Domain Name)

• IP Address or IP Address Range

• TCP Port

Users can define a port range for scanning when performing SSL/TLS certificate scans on web servers.

For ex: 1-899.

To add multiple scan targets, click the "(+)" button, as shown below.

Import Scan Targets from Existing emSign Bots

• To import scan targets from an existing emSign Bot, the administrator can click on the "Import Settings" option.

• Upon selecting "Import Settings", a modal will appear, as shown below.

• The administrator can choose a bot name from the available list and click the "Import" button to proceed.

Setup up Scan Schedule

Configure the scan schedule using the following options:

• On Demand: Selecting this option allows the administrator to run scans at any time, without time restrictions.

• Daily: If this option is selected, the administrator must specify the scan date, time, and time zone. Once configured, the system will automatically scan the certificates from the server daily at the scheduled time.

• Weekly: When this option is selected, the administrator provides the scan day, time, and time zone. The system will automatically perform the scan every week at the specified time.

• Monthly: For this option, the administrator sets the scan date, time, and time zone. The system will conduct the scan on the specified date and time each month.

• Stop if scan run time exceeds: Enabling this option ensures that the scan will automatically stop if it exceeds the specified time, particularly if the bot encounters issues while scanning certificates from the server.

• Advanced Settings: Administrators can enable this option to access additional settings, such as multi-thread configuration and detailed scan options for enhanced control.

HSM (Hardware Security Module)

To scan certificates via an HSM (Hardware Security Module):

• Upload or paste the HSM configuration.

• Enter the HSM password.

• Select the Certificates and Keys checkboxes as needed.

• Click Start Action to initiate the scan.

To add multiple scan targets, administrators can click the "(+)" button, as shown below.

The account administrator can set up a Scan schedule as per their preference.

LDAP (Lightweight Directory Access Protocol)

To scan certificates via LDAP (Lightweight Directory Access Protocol):

• Provide the LDAP URL and Container Name.

• Enter the Admin DN (Distinguished Name) and Password.

• Click Start Action to begin the scan.

To add multiple scan targets, administrators can click the "(+)" button, as shown below.

The account administrator can set up a Scan schedule as per their preference.

Certificate Store

When scanning certificates via the Certificate Store, the IP address of the system is automatically fetched, and all certificates installed on the system are scanned.

The account administrator can set up a Scan schedule as per their preference.

Cloud Providers (AWS)

Discovery through AWS/Cloud Providers include

Select the scan target as Cloud Providers

• Enter the Access Key

• Enter the Secret Key

• Select the Region

And click on Save button.

Run the bot and all the certificates are scanned and Displayed under Discovered From as Cloud Providers in Discover Certificates page.

The account administrator can set up a Scan schedule as per their preference.

File System

When scanning certificates via the File System, the system’s IP address is automatically fetched, and all available certificates are scanned.

JKS Discovery

Discovery of JKS include scanning the java key stores for SSL/TLS certificates and public key infrastructure (PKI) certificates used for secure communications, authentication, and encryption in Java applications.

By entering the file system path, the certificates are scanned and discovered for renewal and provisioning.

Note: Only certificates that are downloaded or extracted on the system will be detected during the scan.

The account administrator can set up a Scan schedule as per their preference.

SSH

To scan certificates via SSH:

• Provide the IP address, Username and Password.

• Click Start Action to initiate the scan.

To add multiple scan targets, administrators can click the "(+)" button, as shown below.

The account administrator can set up a Scan schedule as per their preference.

F5-BIG-IP

To scan certificates via F5-BIG-IP:

• Provide the IP address, Port number, Username and Password.

• Click Start Action to initiate the scan.

To add multiple scan targets, administrators can click the "(+)" button, as shown below.

The account administrator can set up a Scan schedule as per their preference.

Cloudflare

To scan certificates via Cloudflare using their API:

• Enter Cloudflare Email ID (Email associated with your Cloudflare account)

• Enter Cloudflare Authkey (API Key)

• Select Cloudflare Zone ID (Zone ID for the domain you’re working with)

To add multiple scan targets, administrators can click the "(+)" button.

The account administrator can set up a Scan schedule as per their preference.

Certificate Discovery

Discover Certificates serves as a comprehensive tool for identifying, managing, and securing digital certificates across your infrastructure. It enables users to initiate a discovery scan, and upon completion, review the list of discovered certificates. The scan results provide key details, including the issuer, expiration dates, and usage contexts.

How to view certificates 

To view the discovered certificate details, click on the CN/SAN hyperlink.

How to order certificates 

Option 1: Once the certificate is initiated or configured, selecting the Order checkbox, will successfully issue the certificate

Option 2: Rotate

Once the certificate is initiated or configured, click on Rotate button, the certificate will be rotated and issued successfully.

How to download certificates 

Option 1: Downloading the Certificate

After the certificate is issued, follow these steps to download it:

Click the Download icon under Actions tab.

• A download popup will appear, allowing you to select the desired format to download.

• Choose the format and click the Download button.

• The certificate will be downloaded successfully.

Option 2: Viewing and Downloading via CN/SAN Hyperlink

• Click on the CN/SAN hyperlink to open, View Discover Certificate page.

• In the Quick Actions section on the top-right corner, click Download Certificate

• On the top right corner of the page, under Quick Actions click on Download Certificate, the certificate will be downloaded successfully.

• Format to download popup is not displayed.

How to Rekey certificate

• Select the certificate with status Issued or Deployed, click on Rekey button.

• Enter the remarks and click Rekey.

How to Revoke/Suspend certificate

• Select the certificate, click on Revoke/Suspend button.

• Select the Revoke Mode, enter the remarks and click on Revoke/Suspend button.