Discover Certificates on Machines
Table of Contents
Expand all | Collapse all
-
- Activate Next-Generation Trust Security
-
-
- Configure Akamai Connection
- Configure AWS Connection
- Configure Azure Key Vault Connection
-
- Workload Identity Federation Authentication
- Workload Identity Federation - Azure Identity Provider Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Workload Identity Federation Authentication
- Next-Gen Trust Security Generated Key Authentication
- User Permissions
- Supported OIDC Claims
-
-
-
- Working with the Built-in CA
- Add AWS Public CA
- Add AWS Private CA
- Add DigiCert One Certificate Authority
- Add Entrust
- Add GlobalSign Atlas
- Add GlobalSign MSSL
- Add GoDaddy
- Add Google Cloud Private CA
- Add a HID PKIaaS CA
- Add Certificate Manager - Self-Hosted
- Set Up an OpenSSL Certificate Authority Connector
- Create a Sectigo Certificate Manager Certificate Authority
- Add Zero Touch PKI
- Set Up Certificate Expiration Notifications
- Using a Custom DNS Provider
-
-
-
-
- Create an F5 BIG-IP LTM Machine
- Create a Microsoft Azure Private Key Vault Machine
- Create a Microsoft Azure Application Registration Machine
- Create a Microsoft IIS Machine
- Create a Microsoft Windows (PowerShell) Machine
- Create a Microsoft SQL Server Machine
- Create a Common KeyStore Machine
- Create a Citrix ADC Machine
- Create an Imperva WAF Machine
- Create a VMware NSX Advanced Load Balancer (AVI) Machine
- Create an A10 Thunder ADC Machine
- Create a Cloudflare Machine
- Create Kemp Virtual LoadMaster Machine
- Create a Palo Alto Panorama Machine
- Create a Radware Alteon Machine
-
- Provision to an F5 BIG-IP LTM
- Provision to a Microsoft Azure Private Key Vault
- Provision to Microsoft IIS
- Provision to Microsoft Windows (PowerShell)
- Provision to Microsoft SQL Server
- Provision to a Common KeyStore
- Provision to a Citrix ADC
- Provision to an Imperva WAF
- Provision to VMware NSX Advanced Load Balancer (AVI)
- Provision to an A10 Thunder ADC
- Provision to Cloudflare
- Provision to a Kemp Virtual LoadMaster
- Provision to Palo Alto Panorama
- Provision Certificates to Radware Alteon
-
-
- 47-Day Validity Readiness TLS Certificates dashboard
- About the Certificate Inventory
- Managing Certificate Lifecycle Settings
- Reissuing Certificates in Next-Gen Trust Security
- Downloading Certificates, Certificate Chains, and Keystores
- Retiring, Recovering, and Deleting Certificates
- Finding Certificates in the Certificate Inventory
- Importing Certificates from a CA Using EJBCA
- Domain-Based Validation for External Emails
-
- Create a Workload Identity Management or Discovery Agent Built-in Account
- Create an OCI Registry Built-in Account
- Create a Certificate Manager - Self-Hosted Built-in Account
- Create a Scanafi Built-in Account
- Toggling a Built-in Account on or Off
- Editing Built-in Accounts
- Deleting Existing Built-in Accounts
- Renew Existing Built-in Accounts
- Troubleshooting
Discover Certificates on Machines
Next-Gen Trust Security supports machine-based discovery, allowing you to identify and track certificates that are already deployed to machines in your environment. Discovery helps you understand which certificates exist on a machine, identify changes over time, and manage those certificates appropriately.
Discovery is supported for the following machine types:
- A10 Thunder ADC
- Citrix ADC
- Cloudflare
- F5 appliance
- Imperva WAF
- Kemp LoadMaster
- Microsoft IIS
- Radware Alteon ADC
- Microsoft Azure Key Vault
- Microsoft Azure Application Registration
- Palo Alto Panorama
- VMware NSX Advanced Load Balancer (AVI)
Warning: Next-Gen Trust Security does not import certificates stored in PFX or PKCS#12-formatted keystores during discovery. These certificates are skipped automatically, and the discovery job continues without failure.
Before You Begin
- The machine must already be created in Next-Gen Trust Security. If not, see Create a new machine.
- The machine must be successfully connected. Use Test Access on the Access tab to verify connectivity.
- The machine must show a Verified status on the Access tab.
Run Discovery on a Machine
- Sign in to Next-Gen Trust Security.
- Click Insights > Machines.
- Select the machine you want to discover certificates on.
- Verify that required connection fields (such as address and credentials) are populated.Note: For Cloudflare machines, discovery does not include certificates associated with wildcard hostnames.
- Select the Discovery tab to configure discovery behavior.
Available filters vary by machine type. If no filters are configured, discovery searches all supported locations for that machine.
Machine-Specific Discovery Filters
F5 BIG-IP LTM
- Resource types to discover – Virtual servers, monitors, or both.
- Partitions – Comma-separated list of partition names. Leave blank to include all partitions.
- Exclude expired certificates
- Exclude inactive certificates
- Discovery schedule
Microsoft Azure Key Vault
- Exclude disabled certificates
- Exclude expired certificates
- Discovery schedule
Microsoft IIS
- Certificate store – Personal, Web Hosting, or both.
- Exclude expired certificates
- Discovery schedule
VMware NSX Advanced Load Balancer (AVI)
- Tenants – Comma-separated list. Leave blank to include all tenants.
- Exclude expired certificates
- Exclude inactive certificates
- Discovery schedule
Cloudflare
- Exclude expired certificates
- Discovery schedule
Citrix ADC
- Resource types to discover – Virtual servers, monitors, or both.
- Partitions – Comma-separated list. Leave blank to include all partitions.
- Exclude expired certificates
- Discovery schedule
A10 Thunder ADC
- Discovery runs in the default partition only.
- Exclude expired certificates
- Discovery schedule
Kemp Virtual LoadMaster
- Exclude expired certificates
- Exclude certificates not in use by a virtual service
- Discovery schedule
Radware Alteon ADC
- Exclude Expired Certificates – Certificates that have expired.
- Machine Discovery Schedule – Schedule your discovery daily, weekly, or monthly. Learn more
- Click Discover Now.
- A message below the machine name shows when discovery starts. Refresh the page to see completion status.Note: Discovery continues even if individual certificates encounter errors. If a discovery run encounters a large number of errors, it may stop early.
- Select the Discovery tab to review results, including:
- Total discovered certificates
- Newly discovered certificates
- Installations created
- Installations missing
- Installations deleted
- Execution time
What Do These Results Mean?
- Total discovered – Certificates found during the current and previous discovery runs.
- Newly discovered – Certificates found for the first time.
- Installations created – New installation records created by discovery.
- Installations missing – Installations previously found but not detected in the current run.
- Installations deleted – Installations removed after remaining missing for several days.
- Execution time – Duration of the discovery run.
- Select the Installations tab to view discovered certificate installations.Important: Installations that remain missing for multiple discovery runs are automatically removed.Important: For Cloudflare machines, discovery includes only custom certificates. Universal and backup certificates are not discovered because they are managed directly by Cloudflare.
Set up a Machine Discovery Schedule
- In the Next-Gen Trust Security toolbar, click Installations and select Machines.
- Select the machine you want to configure.
- Click the Discovery tab.
- Configure discovery options such as certificate store and exclusion settings.
- Enable the Schedule toggle.
- Under Repeat every, select Daily, Weekly, or Monthly, and choose a time.Note: Times are shown in UTC.