Discover certificates on machines
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure AWS connection
- Configure Azure Key Vault connection
-
- Workload Identity Federation authentication
- Workload Identity Federation - Azure Identity Provider authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Workload Identity Federation authentication
- Next-Gen Trust Security Generated Key authentication
- User permissions
- Supported OIDC claims
-
-
-
-
- Create an F5 BIG-IP LTM machine
- Create a Microsoft Azure Private Key Vault machine
- Create a Microsoft IIS machine
- Create a Microsoft Windows (PowerShell) machine
- Create a Microsoft SQL Server machine
- Create a Common KeyStore machine
- Create a Citrix ADC machine
- Create an Imperva WAF machine
- Create a VMware NSX Advanced Load Balancer (AVI) machine
- Create an A10 Thunder ADC machine
- Create a Cloudflare machine
- Create Kemp Virtual LoadMaster machine
- Create a Palo Alto Panorama machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing certificate lifecycle settings
- Reissuing certificates in Next-Gen Trust Security
- Downloading certificates, certificate chains, and keystores
- Retiring, recovering, and deleting certificates
- Finding certificates in the certificate inventory
- Importing certificates from a CA using EJBCA
- Notification Center overview
- Domain-based validation for external emails
- Managing user accounts
- Troubleshooting
Discover certificates on machines
Next-Gen Trust Security supports machine-based discovery, allowing you to identify and track certificates that are already deployed to machines in your environment. Discovery helps you understand which certificates exist on a machine, identify changes over time, and manage those certificates appropriately.
Discovery is supported for the following machine types:
- A10 Thunder ADC
- Citrix ADC
- Cloudflare
- F5 BIG-IP LTM
- Kemp LoadMaster
- Microsoft IIS
- Microsoft Azure Key Vault
- Palo Alto Panorama
- VMware NSX Advanced Load Balancer (AVI)
Warning: Next-Gen Trust Security does not import certificates stored in PFX or PKCS#12-formatted keystores during discovery. These certificates are skipped automatically, and the discovery job continues without failure.
Before you begin
- The machine must already be created in Next-Gen Trust Security. If not, see Create a new machine.
- The machine must be successfully connected. Use Test Access on the Access tab to verify connectivity.
- The machine must show a Verified status on the Access tab.
Run discovery on a machine
- Sign in to Next-Gen Trust Security.
- Click Insights > Machines.
- Select the machine you want to discover certificates on.
- Verify that required connection fields (such as address and credentials) are populated.Note: For Cloudflare machines, discovery does not include certificates associated with wildcard hostnames.
- Select the Discovery tab to configure discovery behavior.
Available filters vary by machine type. If no filters are configured, discovery searches all supported locations for that machine.
Machine-specific discovery filters
F5 BIG-IP LTM
- Resource types to discover – Virtual servers, monitors, or both.
- Partitions – Comma-separated list of partition names. Leave blank to include all partitions.
- Exclude expired certificates
- Exclude inactive certificates
- Discovery schedule
Microsoft Azure Key Vault
- Exclude disabled certificates
- Exclude expired certificates
- Discovery schedule
Microsoft IIS
- Certificate store – Personal, Web Hosting, or both.
- Exclude expired certificates
- Discovery schedule
VMware NSX Advanced Load Balancer (AVI)
- Tenants – Comma-separated list. Leave blank to include all tenants.
- Exclude expired certificates
- Exclude inactive certificates
- Discovery schedule
Cloudflare
- Exclude expired certificates
- Discovery schedule
Citrix ADC
- Resource types to discover – Virtual servers, monitors, or both.
- Partitions – Comma-separated list. Leave blank to include all partitions.
- Exclude expired certificates
- Discovery schedule
A10 Thunder ADC
- Discovery runs in the default partition only.
- Exclude expired certificates
- Discovery schedule
Kemp Virtual LoadMaster
- Exclude expired certificates
- Exclude certificates not in use by a virtual service
- Discovery schedule
- Click Discover Now.
- A message below the machine name shows when discovery starts. Refresh the page to see completion status.Note: Discovery continues even if individual certificates encounter errors. If a discovery run encounters a large number of errors, it may stop early.
- Select the Discovery tab to review results, including:
- Total discovered certificates
- Newly discovered certificates
- Installations created
- Installations missing
- Installations deleted
- Execution time
What do these results mean?
- Total discovered – Certificates found during the current and previous discovery runs.
- Newly discovered – Certificates found for the first time.
- Installations created – New installation records created by discovery.
- Installations missing – Installations previously found but not detected in the current run.
- Installations deleted – Installations removed after remaining missing for several days.
- Execution time – Duration of the discovery run.
- Select the Installations tab to view discovered certificate installations.Important: Installations that remain missing for multiple discovery runs are automatically removed.Important: For Cloudflare machines, discovery includes only custom certificates. Universal and backup certificates are not discovered because they are managed directly by Cloudflare.
Set up a machine discovery schedule
- In the Next-Gen Trust Security toolbar, click Installations and select Machines.
- Select the machine you want to configure.
- Click the Discovery tab.
- Configure discovery options such as certificate store and exclusion settings.
- Enable the Schedule toggle.
- Under Repeat every, select Daily, Weekly, or Monthly, and choose a time.
Note: Times are shown in UTC.