Set up and run a scan

Before you begin

  • Verify the sensor you want to use is installed, activated, and started.
  • Verify your network meets all requirements.
  • Verify you meet all deployment requirements.
  • Administrator or manager privileges are required.

See Discovery workflow and permissions and Sensor installation requirements.

Gather needed information

  • The name of the sensor you want to use.
  • The division the sensor is assigned to (if you are using divisions in your account).
  • The ports you want to use to scan your network.
  • The FQDNs and IP addresses you want to include in the scan.
  • Whether you are using Server Name Indication (SNI) to serve multiple domains from a single IP address.

Set up and run your scan

  1. In your CertCentral account, in the sidebar menu, select Discovery > Manage Discovery.

  1. On the Manage scans page, select Add scan.

  1. Set up your scan

    On the Add a scan page, in the Set up a scan section, provide the necessary scan information:

    1. Scan name
      Name your scan so you can easily identify it (names become more important when you have multiple scans).
    2. Division
      Choose the division with the sensor you want to use for the scan.
      During installation, you assign the sensor to a division. You only see the sensors assigned to the selected division.
      Note: If you are not using divisions in your account, you will see your organization name, instead.
    3. Ports
      Specify the ports you want to use to scan your network for SSL/TLS certificates.
      Use All to include all ports in a specified range.
      Use Default to include ports commonly used for SSL/TLS certificates: 443, 389, 636, 22, 143, 110, 465, 8443, 3389.
    4. Enable SNI (Optional)
      If you are using Server Name Indication (SNI) to serve multiple domains from a single IP address, enable SNI scanning for the scan (limited to max 10 ports per server).
      Note: An SNI scan may not have IP information as part of the results.
    5. Sensor
      Choose the sensor you want to use for the scan. You will only see the sensors assigned to the division you selected.
      Note: If you are not using divisions in your account, you will see the sensors assigned to your organization.
    6. IP/FQDN to scan
      Include FQDNs and IP addresses:
      Enter the FQDNs and IP addresses you want to include in the scan and select Include. You can include single IP addresses (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).
      Exclude FQDNs and IP addresses:
      Enter the IP address you want to exclude from a range of IP addresses and select Exclude. You can exclude a single IP address (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).
    7. In the scan list, find the domains and subdomains you want to include or exclude from the scan. Then, select the appropriate link in the Actions column.
      Include all subdomains – Includes all subdomains of the domain to the scan.
      Exclude all subdomains – Excludes all subdomains of the domain from the scan.
      Add subdomains or Edit subdomains – Choose from the available subdomains that you want to include or exclude from scanning.
      Delete – Deletes the IP/FQDN from the scan list.
    8. When you are finished, select Next.

Notes on using subdomains:

  • You can always add subdomains of any level to a scan.
  • The system only displays a single subdomain that is one level lower than the domain.
  • Only publicly listed subdomains are available for selection. For example, you can only add subdomains to the scan that are available on the public DNS server or CT logged.

  1. When to scan

    Configure your scan to run now or schedule it.

    To set a limit for how long an unfinished scan should run before you stop it, select Stop if scan time exceeds and select a maximum run time.

  1. Settings: Scan options

    The optimized scan provides basic SSL/TLS certificate and server information along with any discovered critical TLS/SSL server issues. (Heartbleed, Poodle [SSLv3], FREAK, Logjam, DROWN, RC4, POODLE [TLS], Cross-site scripting, SQL injection, Cross-domain policy, and CSRF).

    Choose what to scan

    Customize the information included in your scan results.

    • Scan for configured cipher suites: Discover the cipher suites and TLS/SSL protocols configured on your server to establish secure client-server communication during the TLS/SSL handshake.
    • Enable SSLv2, SSLv3, TLSv1.0 and TLSv1.1: Enable these TLS/SSL protocols available for use in handshaking.
    • Update host IP addresses with every scan: Update the host's IP addresses each time you scan if the host's IP addresses change frequently.
      You can also select the OS and Server Application options for updated information about:
      • Operating system
      • Server type
      • Server application
      • Application version
    • Enable SSH key discovery: Discover the SSH keys configured on your server. The scan identifies the SSH key fingerprints, algorithms, and methods of authenticating SSH keys configured for your server on the SSH enabled port (default port 22).
      For more information about SSH keys, see SSH keys.
    • Scan for critical TLS/SSL server issues only (faster): Discover only critical TLS/SSL server issues such as Heartbleed, Poodle (SSLv3), FREAK, Logjam, DROWN, RC4, POODLE (TLS), Cross-site scripting, SQL injection, Cross-domain policy, and CSRF.
    • Choose what TLS / SSL server issues to scan for: Customize your scan by specifying which TLS/SSL server issues (critical and/or non-critical) you want to scan, such as POODLE, BEAST, SWEET32, etc.

Adding more scan options increases the scan’s impact on network resources, resulting in a longer scan time.

  1. Advanced settings: Scan performance

    Use the Scan performance options below to configure how quickly the scan is completed or to limit the impact of scans on network resources:

    • Aggressive scans
      Have a higher impact on network resources. Send out a large number of scan packets to the network. Discovery caps how many packets are sent to prevent an unintended number of packets from being sent.
      Note: Using the aggressive setting may set off false alarms on Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).
    • Slow scans
      Limit the impact of the scan on network resources and reduce the number of IDS or IPS false alarms. Send a few scan packets at a time and wait for a response before sending more packets.

  1. Advanced settings: Add tags to the scan

    Use this option to add tags to your scan. The tags apply to all certificates found during network scanning. Use this to identify and manage the certificates configured on your network or any other network you manage.

  1. Advanced settings: More settings

    Reduce firewall alarms by restricting TLS/SSL server checks

    Use this option with the understanding that it may limit the effectiveness of your scan, as it may result in missed TLS/SSL server issues.

    To identify TLS/SSL server issues (for example, Heartbleed), scans sometimes emulate a TLS/SSL server issue to make sure the server is secure. Such emulations might trigger false firewall alarms on your network. To avoid such alarms, you can restrict the TLS/SSL server checks.

    Specify ports to scan to verify host availability

    The ports you specify here are only used to verify the host availability.

    The first step in the scan process pings the host to verify its availability.
    If Internet Control Message Protocol (ICMP) pings are disabled on a host, use this setting to specify the ports that can be scanned to verify host availability. The fewer ports specified, the faster your scan.

    Enable port debugging

    Use this option to log and collect data on firewalled and closed ports.

  1. Save and schedule/Save and run

    When you are done, you will need to save your scan.

    • If you are running it now, select Save and run.
    • If you scheduled the scan, select Save and schedule.

What's Next

Your scan will run now or as scheduled. Scan completion time depends on network size and the scan performance settings selected during set up.

If a scan triggers a false alarm in intrusion detection systems (IDS) or intrusion protection systems (IPS), make sure to allowlist the scans in your IDS/IPS utilities.

Also, configure your scan to run Slow. Slower scans are less likely to trigger false alarms. You may also need to allowlist the sensor from your firewall to allow communication to digicert.com.

To manage your scans, go to the Manage scans page (in the sidebar menu, select Discovery > Manage Discovery).

To view scan details or to modify scan settings, go to the scan's details page (on the Manage scans page, select the scan name).

  • On the Discovery location and Scan settings tabs, view or modify scan settings.
  • On the Scan activity tab, view current and past scan details such as start time, duration, scan status, and actions.
    • To view scanned certificate details, select View certificates.
    • To get the information about firewalled and closed ports, select Download debug report.
    • To view discovered key details, select View keys.

About

DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.

©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.