BlogSupportDocumentation
TigerTrust
Agent

Certificate Discovery

Learn about the different certificate discovery scan types and capabilities.

Certificate Discovery

TigerTrust agents automatically discover certificates across your infrastructure using multiple scan types.

Discovery Scan Types

Scan TypeDescriptionUse Case
filesystemScans local directories for certificate filesServers with local SSL/TLS certificates
kubernetesScans Kubernetes TLS secretsCloud-native K8s workloads
cloudScans cloud provider certificate storesAWS ACM, Azure Key Vault, GCP
networkTLS handshake scan of network endpointsLoad balancers, external services
windowsWindows certificate store enumerationWindows servers and services
iisIIS website binding extractionWindows web servers

Filesystem Discovery

Scans configured directories for certificate files.

Supported Formats:
  • PEM (.pem, .crt, .cer)
  • DER (.der, .cer)
  • PKCS#12 (.p12, .pfx)
  • PKCS#7 (.p7b, .p7c)
  • Java Keystore (.jks)
Configuration: 
discovery:
  local:
    enabled: true
    scan_paths:
      - /etc/ssl/certs
      - /etc/nginx/ssl
      - /opt/app/certs
    include_patterns:
      - "*.pem"
      - "*.crt"
    exclude_patterns:
      - "*.bak"
    max_file_size: 10485760
Discovery Results Include:
  • Certificate details (CN, SANs, issuer, validity)
  • Private key location and format
  • Certificate chain information
  • CA type detection (ACME, public CA, private CA, self-signed)

Kubernetes Discovery

Scans Kubernetes clusters for TLS secrets and cert-manager certificates.

What's Discovered:
  • TLS-type Secrets in configured namespaces
  • cert-manager Certificate resources
  • Ingress TLS configurations
  • Service mesh certificates (Istio, Linkerd)
Configuration: 
kubernetes:
  enabled: true
  kubeconfig: ""  # Empty for in-cluster config
  namespaces:
    - default
    - production
    - istio-system
  scan_certmanager: true
  scan_ingress: true
Authentication:
  • In-cluster: Uses ServiceAccount token
  • External: Uses kubeconfig file

Cloud Provider Discovery

Discovers certificates from cloud certificate management services.

AWS Discovery

cloud:
  aws:
    enabled: true
    regions:
      - us-east-1
      - us-west-2
    assume_role_arn: "arn:aws:iam::123456789012:role/TigerTrust"
    scan_acm: true
    scan_secrets_manager: true
AWS Services Scanned:
  • AWS Certificate Manager (ACM)
  • Secrets Manager (TLS secrets)
  • Systems Manager Parameter Store
  • Lambda functions (environment certs)
  • ECS/EKS services

Azure Discovery

cloud:
  azure:
    enabled: true
    subscription_id: "sub-id"
    tenant_id: "tenant-id"
    key_vaults:
      - "vault-prod"
      - "vault-staging"
Azure Services Scanned:
  • Azure Key Vault certificates
  • App Service certificates
  • IoT Hub device certificates

GCP Discovery

cloud:
  gcp:
    enabled: true
    project_id: "my-project"
    regions:
      - us-central1
GCP Services Scanned:
  • Secret Manager
  • Certificate Manager
  • Load balancer certificates

Network Discovery

Performs TLS handshake scans to discover certificates on network endpoints.

discovery:
  network:
    enabled: true
    cidr_ranges:
      - "10.0.0.0/24"
      - "192.168.1.0/24"
    ports:
      - 443
      - 8443
      - 636   # LDAPS
      - 993   # IMAPS
      - 995   # POP3S
    scan_timeout: 2000
    max_concurrency: 50
Network Scan Results:
  • Server certificate and chain
  • TLS version and cipher suite
  • Certificate validation status
  • Hostname match verification

Windows Discovery

Discovers certificates from Windows certificate stores.

Stores Scanned:
  • Local Machine\Personal
  • Local Machine\Web Hosting
  • Current User\Personal
Services Scanned:
  • IIS website bindings
  • RDP certificates
  • SQL Server certificates
  • Exchange Server certificates

Discovery Data Captured

For each discovered certificate:

{
  "commonName": "example.com",
  "issuer": "CN=Let's Encrypt Authority X3",
  "serialNumber": "03:ab:cd:ef...",
  "fingerprint": "SHA256:abc123...",
  "subjectAlternativeNames": ["example.com", "www.example.com"],
  "validFrom": "2024-01-01T00:00:00Z",
  "validTo": "2024-04-01T00:00:00Z",
  "keyType": "RSA",
  "keySize": 2048,
  "issuerCaType": "acme",
  "issuerCaName": "Let's Encrypt",
  "chainLength": 3,
  "isCA": false,
  "isSelfSigned": false,
  "source": "filesystem",
  "location": "/etc/nginx/ssl/server.crt",
  "privateKeyLocation": "/etc/nginx/ssl/server.key",
  "privateKeyType": "file",
  "hasPrivateKey": true
}

Automatic vs On-Demand Discovery

Automatic Discovery:
  • Runs on agent startup
  • Submits results immediately to TigerTrust
On-Demand Discovery:
  • Triggered via dashboard or API
  • Supports specific scan types
  • Returns results to requesting scan job

Discovery Best Practices

  1. Start with filesystem scans - Most common certificate locations
  2. Add network scans gradually - Can be resource-intensive
  3. Use namespace filters for K8s - Avoid scanning system namespaces
  4. Configure exclude patterns - Skip backup and temporary files
  5. Monitor agent metrics - Track discovery performance