Guide to modern PKI: Certificate discovery

Certificate discovery is usually the first step to be performed in order to build the certificate inventory. The purpose of certificate discovery is to search for certificates in various locations and sources like network infrastructure, applications, file system, containers, and many more.

Once the certificates are identified and included in the inventory, we can see the overall status of the public key infrastructure. It is very common that certificates issued by unauthorized certification authorities or self-signed certificates are found. Once we know about them, we can manage them.

The proper certificate discovery process can help us to identify vulnerable and non-compliant services and protect us from a system breach before it is too late.

In the previous articles of this series, we have completed setup of the CZERTAINLY platform together with integration on the EJBCA as certification authority. Now, let’s take a look at how we can schedule certificate discovery on the EJBCA.

Discovery on multiple EJBCA instances.

Discovery provider

Discovery provider implements interface to search for certificates within a specific technology and sources. This is a primary interface for CZERTAINLY to start certificate discovery process.

The EJBCA NG Connector we have installed and registered on the platform works as one of the discovery providers. You can apply various search criteria and be informed of any certificate being issued in the EJBCA even if it was not directly provided by the CZERTAINLY.

Create certificate discovery

In order to run the certificate discovery process, we need to create a new Discovery. Discovery behavior is defined by the EJBCA NG Connector we are going to use.

Create new discovery with the following properties:

  • Discovery Name: My Discovery 01
  • Discovery Provider: select EJBCA-NG-Connector from the list of available discovery providers
  • Kind: select EJBCA

Discovery attributes for the EJBCA certificate discovery are loaded. These attributes define where and how you would like to discover certificates. For example, you can select specific EJBCA instance, multiple profiles, or discover certificate in some specific state or issued after specific date.

  1. EJBCA instance: select your EJBCA instance that is available
  2. EJCBA REST API base URL: the base URL for EJBCA REST Certificate Management V2 is loaded automatically based on the selected EJBCA instance. You can change the URL if needed
  3. Certification Authority: select CAs you would like to search for certificates. Keep it empty if you want to search through all available CAs
  4. End Entity Profile: select end entity profiles you would like to search for certificates. Keep it empty to search through all available end entity profiles
  5. Certificate status: select certificate status. Keep it empty to search for certificates in all available statuses
  6. Certificate issued after: select date after which certificates were issued. Keep it undefined to search for certificates issued any time

Now you can run the discovery. The discovery process will be in progress until it identifies all certificates.

Sample configuration of certificate discovery on EJBCA.

Certificate inventory

In the overview of the discovery process, you can see all details about the scheduled discovery, selected attributes and metadata, including all certificates that were discovered. Once the discovery process is completed, certificates are included in the certificate inventory.

Certificate inventory contains the list of all certificates with all the details about them. It includes for example:

  • Validation status of the certificate
  • Compliance status of the certificate based on the Compliance Profiles
  • Details about certificate attributes
  • Locations where the certificate is present
  • History of changes for the certificate
  • and many more

The certificate inventory contains a current snapshot of your infrastructure in time. Through the inventory, any certificate can be managed.

Inventory of certificates that were found through the certificate discovery on EJBCA.

Visibility on certificates

Certificate discovery gives you complete visibility on certificates that are handled in the infrastructure. Once you know all your certificates, you can plan ahead and decide how they should be managed.

Get more information about the CZERTAINLY

CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.

Need Help

Do not hesitate to get in touch with us!