See Discovery workflow and permissions and Sensor installation requirements.
In your CertCentral account, in the sidebar menu, select Discovery > Manage Discovery.
On the Manage scans page, select Add scan.
Set up your scan
On the Add a scan page, in the Create a scan section, provide the necessary scan information:
Notes on using subdomains:
When to scan
Configure your scan to run now or schedule it.
To set a limit for how long an unfinished scan should run before you stop it, select Stop if scan time exceeds and select a maximum run time.
Settings: Scan options
The optimized scan provides basic SSL/TLS certificate and server information along with any discovered critical TLS/SSL server issues. (Heartbleed, Poodle [SSLv3], FREAK, Logjam, DROWN, RC4, POODLE [TLS], Cross-site scripting, SQL injection, Cross-domain policy, and CSRF).
Choose what to scan
Customize the information included in your scan results.
Adding more scan options increases the scan’s impact on network resources, resulting in a longer scan time.
Advanced settings: Scan performance
Use the Scan performance options below to configure how quickly the scan is completed or to limit the impact of scans on network resources:
Advanced settings: Add tags to the scan
Use this option to add tags to your scan. The tags apply to all certificates found during network scanning. Use this to identify and manage the certificates configured on your network or any other network you manage.
Advanced settings: More settings
Reduce firewall alarms by restricting TLS/SSL server checks
Use this option with the understanding that it may limit the effectiveness of your scan, as it may result in missed TLS/SSL server issues.
To identify TLS/SSL server issues (for example, Heartbleed), scans sometimes emulate a TLS/SSL server issue to make sure the server is secure. Such emulations might trigger false firewall alarms on your network. To avoid such alarms, you can restrict the TLS/SSL server checks.
Specify ports to scan to verify host availability
The ports you specify here are only used to verify the host availability.
The first step in the scan process pings the host to verify its availability.
If Internet Control Message Protocol (ICMP) pings are disabled on a host, use this setting to specify the ports that can be scanned to verify host availability. The fewer ports specified, the faster your scan.
Enable port debugging
Use this option to log and collect data on firewalled and closed ports.
Save and schedule/Save and run
When you are done, you will need to save your scan.
Your scan will run now or as scheduled. Scan completion time depends on network size and the scan performance settings selected during set up.
If a scan triggers a false alarm in intrusion detection systems (IDS) or intrusion protection systems (IPS), make sure to allowlist the scans in your IDS/IPS utilities.
Also, configure your scan to run Slow. Slower scans are less likely to trigger false alarms. You may also need to allowlist the sensor from your firewall to allow communication to digicert.com.
To manage your scans, go to the Manage scans page (in the sidebar menu, select Discovery > Manage Discovery).
To view scan details or to modify scan settings, go to the scan's details page (on the Manage scans page, select the scan name).