Discover your public certificates
This guide is intended to introduce you to the process of creating and configuring simple network discovery tasks to locate and manage your public certificates. This guide focuses on basic certificate discovery options and does not cover more advanced configurations.
Before proceeding, please ensure you have satisfied the following prerequisites:
-
You have an active SCM Enterprise account.
-
You have at least one organization created.
-
You have public certificates that can be discovered.
| The options available in the following sections may vary depending on your role and the configuration of your SCM Enterprise account. |
Step one: Add a certificate bucket
Certificate buckets are used to group and sort certificates found during discovery scans. Once discovered, certificates are automatically added to the certificate bucket associated with the discovery task that found them.
To add a certificate bucket, do the following:
-
Navigate to .
-
Click the Add icon.
-
Enter a name for the certificate bucket.
-
Click Next.
-
(Optional) Add assignment rules to the certificate bucket to automatically assign discovered certificates to organizations and departments.
-
On the Rules tab, click the Add Rule icon, and select an existing assignment rule to apply.
You can create a new assignment rule by clicking the Add Rule icon and selecting New Assignment Rule. For more information about creating assignment rules, see Adding assignment rules. -
Repeat as required to add additional assignment rules.
-
Drag and drop the rules to change the order in which they are applied.
Assignment rules are applied sequentially and are not cumulative. A certificate is delegated based on the first matching rule it encounters in the list. This means it is best to place the most specific rules at the top of the list.
-
-
(Optional) On the Authentication Credentials tab, select Enable Discovery Import API access to bucket to allow certificates to be imported directly into the bucket using the Discovery Import API.
-
Click Save.
-
Repeat as required to add additional certificate buckets.
Step two: Delegate a certificate bucket
Once created, certificate buckets can be delegated to organizations and departments. Delegating a certificate bucket allows the associated organizations and departments to view and manage the certificates found during discovery scans.
To delegate a certificate bucket, do the following:
-
Navigate to .
-
Select the certificate bucket you want to delegate, and click Delegate.
-
Specify the Delegation Mode based on the information in the following table.
Field Description General
When selected, the certificate bucket is available for all organizations and departments.
Customized
When selected, the certificate bucket is available for only the selected organizations and departments.
-
Click Save.
-
Repeat as required to delegate additional certificate buckets.
Step three: Create a network discovery task
Network discovery tasks are used to scan and monitor networks for SSL certificates. Scans can discover public and private SSL certificates regardless of the issuing Certificate Authority (CA). They can be configured to run on a set schedule for periodic scanning.
Discovery tasks can be configured to scan the following:
-
Public networks — A Cloud agent is utilized to scan targeted public networks. This method does not require the installation of a network agent.
-
Private networks — A network agent is installed and used to scan your targeted private networks.
| Scanning private networks using a Sectigo network agent is not within the scope of this guide. The following instructions assume that you will select the Cloud agent option for public certificate discovery. |
To create a cloud agent network discovery task, do the following:
-
Navigate to .
-
Click the Add icon.
-
Complete the General tab details based on the information provided in the following table.
Field Description Name
The name of the discovery task.
Agent
The agent assigned to run the discovery task.
Certificate Bucket
The certificate bucket used to group certificates discovered by the task.
-
Add ranges to scan.
-
Click the Add icon.
-
Select a format and specify the range(s) to scan.
Field Description CIDR
The IP address to be scanned, provided in CIDR format.
IP or IP range
The IP or hyphen-separated IP range to be scanned.
Host name
The hostname of the resource to be scanned.
-
Specify the port, comma-separated ports, or hyphen-separated port range(s) to be scanned.
-
Click Save.
-
Repeat to add additional ranges as necessary.
-
-
On the Schedule tab, select and configure the discovery task’s scan frequency.
-
Click Save.
-
Repeat as required to add additional network discovery tasks.
| To manually run network discovery tasks, navigate to , select your discovery task, and click Scan. |
Step four: Assign discovered certificates
Once a discovery task has been run, discovered certificates are automatically added to the certificate bucket associated with the task. From the certificate bucket, you can manually assign discovered certificates to organizations and departments for management.
To assign discovered certificates, do the following:
-
Navigate to .
-
Select the certificate bucket containing the discovered certificate(s) you want to assign, and click Certificates.
-
Select the certificate(s) you want to assign, and click Assign To.
-
Complete the Assign to Organization/Department dialog fields based on the information provided in the following table.
Field Description Organization
The organization to which the certificate(s) will be assigned.
Department
The department, if required, to which the certificate(s) will be assigned.
Certificate Type
The certificate type to assign to the certificate(s).
-
Click Save.
-
Repeat as required to assign additional certificates.