Certificate Discovery automatically scans your infrastructure to find certificates you may not know exist. This gives you full visibility into your organization’s certificate landscape — helping you identify expiring certificates, misconfigurations, and shadow PKI.Documentation Index
Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
How It Works
Discovery jobs scan your infrastructure and organize results as installations — unique locations where certificates were found. Each installation tracks certificates discovered at that location across multiple scans, allowing you to monitor changes over time.Network Discovery
Scan network endpoints over TLS to discover certificates served by hosts across IP ranges and domains.
Additional discovery types (cloud providers, file systems, etc.) will be added in future releases.
Installations
An installation represents a unique location where a certificate was discovered — for example, a specific hostname and port combination. View installations:- From the Installations tab on the Discovery page
- From a specific discovery job’s detail page
- From a certificate’s detail page (shows where that certificate is deployed)
Certificate Matching
Discovered certificates are matched to your existing inventory by fingerprint. If a discovered certificate matches one in your Infisical organization, the installation is linked to that certificate — giving you a unified view of where your certificates are deployed.FAQ
How are discovered certificates matched to existing certificates?
How are discovered certificates matched to existing certificates?
Discovered certificates are matched by their fingerprint (SHA-256 hash of the DER-encoded certificate). If a discovered certificate matches an existing certificate in your organization, the installation is linked to that certificate.
What happens when a certificate changes at an endpoint?
What happens when a certificate changes at an endpoint?
When a subsequent scan detects a different certificate at a location, the installation is updated to reflect the new certificate. The previous certificate association is preserved in the scan history.
Can I import discovered certificates into my inventory?
Can I import discovered certificates into my inventory?
Yes — if a discovered certificate doesn’t match any existing certificate, you can import it into your inventory to track and manage it alongside certificates issued through Infisical.
What’s Next?
Network Discovery
Scan TLS endpoints across IP ranges and domains.
Applications
Issue and manage certificates for your services.
Alerting
Get notified when discovered certificates expire.
Certificate Syncs
Push certificates to cloud destinations.