Network

Network discovery scans network endpoints over TLS to discover certificates served by hosts across IP ranges and domains. Optionally, you can use an Infisical Gateway to reach endpoints in private networks that are not accessible from the internet.

Infisical UI
API

Navigate to your Certificate Management Project > Discovery and press Add Job.
Fill in the discovery job details and click Create.
- Name: A slug-friendly name for the discovery job (e.g., prod-tls-scan).
- Description: An optional description for the discovery job.
- Targets: A list of domains, IP addresses, or CIDR ranges to scan (e.g., example.com, 192.168.1.1, 10.0.0.0/24).
- Ports: The ports to scan for TLS certificates. Defaults to common TLS ports if not specified.
- Gateway (optional): The Infisical Gateway to use for running the scan. Only required to reach endpoints in private networks.
- Auto Scan: Toggle to enable automatic periodic scanning. When enabled, select a scan interval (e.g., daily, weekly).
At least one target (domain or IP) must be specified.
Trigger a scan manually by pressing Scan Now on the discovery job’s page, or wait for the next automatic scan if auto scan is enabled.
After a scan completes, view the results on the discovery job’s detail page:
- Installations: The unique locations where certificates were found.
- Certificates: The certificates discovered at each installation, including details such as common name, issuer, and expiration date.
- Scan History: A log of all scans that have been run, including status and timestamps.

To create a Network discovery job, make an API request to the Create Discovery API endpoint.

Sample request

Request

curl --request POST \
  --url https://app.infisical.com/api/v1/pki/discovery \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "name": "prod-tls-scan",
    "description": "Scan production network for TLS certificates",
    "type": "network-tls",
    "gatewayId": "550e8400-e29b-41d4-a716-446655440000",
    "isAutoScanEnabled": true,
    "scanIntervalInDays": 1,
    "targetConfig": {
      "ipRanges": ["10.0.0.0/24", "192.168.1.1"],
      "domains": ["example.com"],
      "ports": "443, 8443"
    }
  }'

To trigger a scan, make a request to the Trigger Scan endpoint:

Request

curl --request POST \
  --url https://app.infisical.com/api/v1/pki/discovery/<discoveryId>/scan \
  --header 'Authorization: Bearer <access-token>'

Limits

The following limits apply to Network discovery jobs:

Max individual IPs: 256
Max domains: 20
Max ports: 5
Minimum CIDR prefix: /24 (256 hosts)

Certificate Management

Product Reference

Infrastructure Integrations

Certificate Syncs

External CA Integrations

Sample request

Limits

Certificate Management

Product Reference

Infrastructure Integrations

Certificate Syncs

External CA Integrations

​Sample request

​Limits

Sample request

Limits