See Discovery workflow and permissions and Sensor installation requirements.
Additionally, you'll want to gather some information:
In your CertCentral account, in the sidebar menu, click Discovery > Manage Discovery.
On the Manage scan page, click Add scan.
Set up your scan
On the Add a scan page, under Set up scan, provide the necessary scan information.
When to scan
Configure your scan to run now or schedule it.
To set a limit for how long an unfinished scan should run before you stop it, check Stop of scan time exceeds and select a maximum run time.
Settings: Scan options
The optimized scan provides basic SSL/TLS certificate and server information along with any discovered critical TLS/SSL server issues. (Heartbleed, Poodle [SSLv3], FREAK, Logjam, DROWN, RC4, and POODLE [TLS]).
Choose what to scan
To customize the information included in your scan results, select Choose what to scan. Then, customize the scan to fit your needs. For example, if you want to specify which TLS/SSL server issues are scanned for, such as POODLE (TLS) or BEAST, select Choose what TLS/SSL server issues to scan for.
Adding more scan options increases the scan’s impact on network resources as well as how long it takes to complete it.
Advanced settings: Scan performance
Use the Scan performance options to configure how quickly the scan is completed or to limit the scans impact on network resources.
Advance settings: More settings
Reduce firewall alarms by restricting TLS/SSL server checks
Use this option with the understanding that it may limit the effectiveness of your scan, as it may result in missed TLS/SSL server issues.
To identify TLS/SSL server issues (for example, Heartbleed), scans sometimes emulate a TLS/SSL server issue to make sure that the server is secure. Such emulations might trigger false firewall alarms on your network. To avoid such alarms, you can restrict the TLS/SSL server checks.
Specify ports to scan to verify host availability
The ports you specify here are only used to verify the host availability.
The first step in the scan process pings the host to verify its availability.
If Internet Control Message Protocol (ICMP) pings are disabled on a host, use this setting to specify the ports that can be scanned to verify host availability. The fewer ports specified, the faster your scan.
Enable filtered ports logging
Use this option to log and collect data on firewalled and closed ports.
Save and schedule/Save and run
When you are done, you'll want to save your scan.
Your scan will run now or as scheduled. Scan completion time depends on network size, and the scan performance settings selected during set up.
If a scan triggers a false alarm in intrusion detection systems (IDS) or intrusion protection systems (IPS), make sure to whitelist the scans in your IDS/IPS utilities. Also, configure your scan to run Slow. Slower scans are less likely to trigger false alarms. You may also need to whitelist the sensor from your firewall to allow communication to digicert.com.
To manage your scans, go to the Scan page (in the sidebar menu, click Discovery > Manage Discovery).
To view scan details or to modify scan settings, go to the scan's details page, (on the Scans page, click the scan name link).