Set up and run a scan

Before you begin

  • Verify the sensor you want to use has been installed, activated, and started
  • Verify you've met all the network requirements
  • Verify you've met all the deployment requirements
  • Be an administrator or manager in the CertCentral account

See Discovery workflow and permissions and Sensor installation requirements.

Gather needed information

Additionally, you'll want to gather some information:

  • The name of the sensor to use for the scan
  • The division the sensor is assigned to (if you are using divisions in your account)
  • The ports you want to use to scan your network
  • The FQDNs and IP addresses you want to include in the scan
  • Find out if you're using Server Name Indication (SNI) to serve multiple domains from a single IP address*

Set up and run your scan

  1. In your CertCentral account, in the sidebar menu, click Discovery > Manage Discovery.

  1. On the Manage scan page, click Add scan.

  1. Set up your scan

    On the Add a scan page, under Set up scan, provide the necessary scan information.

    1. Scan name
      Name your scan so you can easily identify it (names become more important when you have multiple scans).
    2. Division
      Choose the division with the sensor you want to use for the scan.
      During installation, you assign the sensor to a division. In the Sensor dropdown, you can only see the sensors assigned to the selected division.
      Note: If you aren't using divisions in your account, you'll see your organization name.
    3. Ports
      Specify the ports you want to use to scan your network for SSL/TLS certificates.
      Use All to include all ports in a specified range
      Use Default to include ports commonly used for SSL/TLS certificates: 443, 389, 636, 22, 143, 110, 465, 8443, 3389.
    4. Enable SNI*
      Are you using Server Name Indication (SNI) to serve multiple domains from a single IP address? Check this box to enable SNI scanning for the scan (limited to max 10 ports per server).
      Note: An SNI scan may not have IP information as part of the results.
    5. Sensor
      Choose the sensor you want to use for the scan. In the dropdown, you can only see the sensors assigned to the division you selected in the Division dropdown.
      Note: If you aren't using divisions in your account, you will see the sensors assigned to your organization.
    6. FQDNs / IP to scan
      Include FQDNs and IP addresses:
      Enter the FQDNs and IP addresses you want to include in the scan and click Include.You can include single IP addresses (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).
      Exclude FQDNs and IP addresses:
      Enter the IP address you want to exclude from a range of IP address and click Exclude. You can exclude a single IP address (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).
    7. When you are finished, click Next.

  1. When to scan

    Configure your scan to run now or schedule it.

    To set a limit for how long an unfinished scan should run before you stop it, check Stop of scan time exceeds and select a maximum run time.

  1. Settings: Scan options

    The optimized scan provides basic SSL/TLS certificate and server information along with any discovered critical TLS/SSL server issues. (Heartbleed, Poodle [SSLv3], FREAK, Logjam, DROWN, RC4, and POODLE [TLS]).

    Choose what to scan

    To customize the information included in your scan results, select Choose what to scan. Then, customize the scan to fit your needs. For example, if you want to specify which TLS/SSL server issues are scanned for, such as POODLE (TLS) or BEAST, select Choose what TLS/SSL server issues to scan for.

Adding more scan options increases the scan’s impact on network resources as well as how long it takes to complete it.

  1. Advanced settings: Scan performance

    Use the Scan performance options to configure how quickly the scan is completed or to limit the scans impact on network resources.

    • Aggressive scans
      Have a higher impact on network resources. Sends out a large number of scan packets to the network. Discovery caps how many packets are sent to prevent an unintended number of packets from being sent.
      Note: Using the aggressive setting may set off false alarms on Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).
    • Slow scans
      Limit the impact of the scan on network resources and reduce the number of IDS or IPS false alarms. Sends a few scan packets at a time and waits for a response before sending more packets.

  1. Advance settings: More settings

    Reduce firewall alarms by restricting TLS/SSL server checks

    Use this option with the understanding that it may limit the effectiveness of your scan, as it may result in missed TLS/SSL server issues.

    To identify TLS/SSL server issues (for example, Heartbleed), scans sometimes emulate a TLS/SSL server issue to make sure that the server is secure. Such emulations might trigger false firewall alarms on your network. To avoid such alarms, you can restrict the TLS/SSL server checks.

    Specify ports to scan to verify host availability

    The ports you specify here are only used to verify the host availability.

    The first step in the scan process pings the host to verify its availability.
    If Internet Control Message Protocol (ICMP) pings are disabled on a host, use this setting to specify the ports that can be scanned to verify host availability. The fewer ports specified, the faster your scan.

    Enable filtered ports logging

    Use this option to log and collect data on firewalled and closed ports.

  1. Save and schedule/Save and run

    When you are done, you'll want to save your scan.

    • If you are running it now, click Save and run.
    • If you've scheduled the scan, click Save and schedule.

What's Next

Your scan will run now or as scheduled. Scan completion time depends on network size, and the scan performance settings selected during set up.

If a scan triggers a false alarm in intrusion detection systems (IDS) or intrusion protection systems (IPS), make sure to whitelist the scans in your IDS/IPS utilities. Also, configure your scan to run Slow. Slower scans are less likely to trigger false alarms. You may also need to whitelist the sensor from your firewall to allow communication to digicert.com.

To manage your scans, go to the Scan page (in the sidebar menu, click Discovery > Manage Discovery).

To view scan details or to modify scan settings, go to the scan's details page, (on the Scans page, click the scan name link).

  • On the Discovery location and Scan settings tabs, view or modify scan settings.
  • On the Scan activity tab, view current and past scan details such as start time, duration, scan status, and actions.
    • To view scanned certificate details, click View certificates.
    • To get the information about firewalled and closed ports, click Download filtered ports report.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.