Setting Up Certificate Discovery¶
This guide covers configuring the two certificate discovery methods available on the Zaita platform: Certificate Transparency (CT) log scanning for publicly trusted certificates and Bridge-based network scanning for internal certificates. For background on how each method works, see Certificate Discovery — Introduction.
Public Certificate Discovery (CT Log Scanning)¶
How It Works¶
CT log scanning happens automatically. The Zaita platform continuously monitors Certificate Transparency logs for certificates issued against your registered domains. There is no additional infrastructure to deploy — CT logs are publicly accessible and the platform queries them directly.
Registering Your Domains¶
Discovery only operates against domains registered in your Zaita account. To configure CT log scanning:
- Navigate to Admin → Domains in the web portal.
- Add each domain you want to monitor. Registering an apex domain (for example,
example.com) causes the platform to discover certificates issued for the domain and all its subdomains. - Once a domain is registered, CT log scanning begins automatically.
Newly issued certificates will appear in your certificate inventory with up to a 24-hour delay from the time of issuance. This reflects the time it takes for certificates to be submitted to and indexed by public CT logs.
Internal Certificate Discovery (Bridge-Based)¶
Prerequisites¶
Before configuring internal discovery, ensure the following:
- You are signed in with the Deployment Administrator or Super Administrator role.
- At least one Bridge is deployed, registered, and in an active state. See Setting Up a Bridge for deployment instructions.
Bridge-based discovery uses Discovery Jobs — named, schedulable scan configurations that instruct a Bridge to probe IP addresses on configured ports and report the TLS certificates it finds.
Step 1 — Create a Discovery Job¶
- Navigate to CLM → Certificate Discovery in the web portal.
- Select Create Discovery Job.
- Fill in the job configuration:
Basic details:
| Field | Description |
|---|---|
| Name | A descriptive name for the job (for example, Production Network Scan). |
| Description | (Optional) Additional context about the job's scope or purpose. |
| Bridge | Select the Bridge that will execute this scan. The Bridge must be in the same tenant and must be active. |
| Status | Set to active to enable scheduled and on-demand execution. |
IP Ranges:
Add one or more IP ranges to scan. Three formats are accepted:
| Format | Example | Use For |
|---|---|---|
| CIDR | 10.0.0.0/8 |
Entire subnets |
| Range | 192.168.1.1-192.168.1.254 |
Specific address spans |
| Single IP | 172.16.0.5 |
Individual hosts |
Multiple ranges can be added to a single job.
Ports:
Add the TCP ports to probe on each address. Any valid port (1–65535) is accepted. Common starting points:
| Port | Service |
|---|---|
| 443 | HTTPS |
| 8443 | HTTPS (alternative) |
| 8080 | HTTP alternative (TLS-enabled) |
| 636 | LDAPS |
| 993 | IMAPS |
| 995 | POP3S |
| 1433 | SQL Server |
| 3306 | MySQL |
| 5432 | PostgreSQL |
Duplicate port values are ignored.
Schedule:
Select a preset schedule or choose Custom to enter a 5-field cron expression (minute hour day month weekday). Leave blank (or select Manual only) to run the job on demand only.
| Preset label | Cron expression |
|---|---|
| Manual only | (leave blank) |
| Every hour | 0 * * * * |
| Every 6 hours | 0 */6 * * * |
| Daily at midnight | 0 0 * * * |
| Daily at 6:00 AM | 0 6 * * * |
| Weekly on Sunday | 0 0 * * 0 |
| Weekly on Monday | 0 0 * * 1 |
| Monthly on the 1st | 0 0 1 * * |
- Save the Discovery Job.
Step 2 — Run the Scan¶
Scheduled Execution¶
Once a Discovery Job has a schedule set, the assigned Bridge picks it up automatically on the next heartbeat after the scheduled time and executes the scan.
On-Demand Execution¶
To trigger a scan immediately without waiting for the next scheduled run:
- Open the Discovery Job detail page.
- Select Run Now.
The control plane sets a run_now flag on the job. The assigned Bridge picks up this flag on its next heartbeat check-in and begins the scan. A job that is already queued cannot be triggered again until the current run completes.
Note: Only
activejobs can be triggered. Jobs with aninactive,running, orabandonedstatus cannot be triggered until re-activated.
Step 3 — Review Results¶
After a scan completes, the Discovery Job detail page shows:
- Last run time — when the most recent scan finished.
- Discovered certificates count — the total number of unique certificates found by this job.
- Next run time — when the next scheduled scan will execute (if a schedule is set).
Discovered certificates are added to your certificate inventory and are visible under CLM → Certificates. Each certificate is marked with source: discovered. See Managing Discovered Certificates for guidance on reviewing and acting on results.
Updating a Discovery Job¶
Discovery Jobs can be updated at any time:
- Open the Discovery Job detail page.
- Edit any field — including the assigned Bridge, IP ranges, ports, or schedule.
- Save the changes.
The assigned Bridge can be changed without recreating the job, preserving the job's history and certificate count.
Deleting a Discovery Job¶
- Open the Discovery Job detail page.
- Select Delete and confirm.
Deleting a job does not remove the certificates that were discovered by it — those remain in the certificate inventory.
Next Steps¶
- Managing Discovered Certificates — review inventory results, investigate flagged certificates, and track multi-host deployments.
- Best Practices for Certificate Discovery — guidance on job design, scan coverage, and acting on discovery results.
- Bridges — Best Practices — network topology guidance for Bridge deployments.