Skip to main content

Enable network scans

Before you begin

  • The DigiCert​​®​​ Trust Lifecycle Manager Network Discovery feature must be enabled for your account in DigiCert® Account Manager. Contact your DigiCert account representative to verify or enable this feature.

  • To configure network scans, you need the Manager user role for DigiCert​​®​​ Trust Lifecycle Manager or a custom user role that includes the Network scans "Manage" permission. To learn more, see Users and access.

  • You need an active DigiCert sensor with visibility of the scan targets on your network. See Deploy and manage sensors.

  • Gather needed information:

    • The name of the sensor to use.

    • The business unit to assign the network scan to (only users assigned to this business unit can manage the scan).

    • The ports you want to scan.

    • The FQDNs and/or IP addresses you want to scan.

    • Whether you are using Server Name Indication (SNI) to serve multiple domains from a single IP address.

Set up a scan

  1. In the Trust Lifecycle Manager main menu, select Discovery & automation tools > Network scans.

  2. On the Network scans page, select Add scan.

    Work through each page of settings and enter your selections, as described below.

    Select Next to move to the next page or Back to move to the previous page.

  3. On the General information page, configure the basic properties for the new scan:

    • Scan name: Name your scan so you can easily identify it (names become more important when you have multiple scans).

    • Business unit: Choose the network scan’s business unit. Only users assigned to this business unit can manage the scan.

    • Sensor: Choose the DigiCert sensor to use for the scan. The sensor must be active and have visibility of the network segments to scan.

  4. On the Scan targets page, provide the information about the targets to scan:

    • Port numbers: Specify the ports you want to scan for TLS/SSL certificates:

      • All to include all ports in a specified range.

      • Default to include ports commonly used for SSL/TLS certificates: 110, 143, 389, 443, 465, 636, 3389, 8443.

      • Custom to include ports of your choice.

    • Server Name Indication (SNI): If you are using SNI to serve multiple domains from a single IP address, enable SNI for the scan (limited to max 10 ports per server). An SNI scan may not have IP information as part of the results.

    • TDS protocol scanning: Enable this option if you want to discover certificates on Microsoft SQL Server or SAP/Sybase ASE. After enabling it, you can configure the scan to use the Tabular Data Stream (TDS) default port 1433, or select Custom and enter a custom TDS port number to scan.

      Note

      TDS protocol scanning requires sensor version 3.9.5 or later.

    • IP addresses/FQDNs:

      Include FQDNs and IP addresses: Enter the FQDNs and IP addresses you want to include in the scan and select Include. You can include a single IP addresses (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).

      Exclude FQDNs and IP addresses: Enter the IP address you want to exclude from a range of IP addresses and select Exclude. You can exclude a single IP address (10.0.0.1), a range of IP addresses (10.0.0.1-10.0.0.255), or an IP range in CIDR format (10.0.0.0/24).

      Alternatively, you can import from a CSV file to include or exclude IP addresses/FQDNs.

      Note

      Make sure the IP addresses/FQDNs added to the scan list are not duplicate entries and are valid. Wildcard domains are not supported.

      Optionally, use the actions in the Included or Excluded lists to make any needed adjustments. Select one or more IPs or FQDNs in each list and then select one of the available actions:

      • Exclude IPs/FQDNs: To move selections from the Included to the Excluded list.

      • Include IPs/FQDNs: To move selections from the Excluded to the Included list.

      • Delete: To delete selections from either list.

  5. On the Scan options page, customize the information to be included in your scan results:

    • Discovery settings:

      Optimize for best performance: The optimized scan provides basic SSL/TLS certificate and server information.

      Choose what to scan: Include custom information in your scan results.

      • Configured cipher suites and TLS/SSL protocols: Discover the cipher suites and TLS/SSL protocols configured on your server for establishing secure client-server communications.

        Note

        Cipher scan in Trust Lifecycle Manager works with sensor version 3.8.60 and later.

      • Handshake TLS/SSL protocols: Check whether the SSLv2, SSLv3, TLSv1.0, and TLSv1.1 protocols are enabled for handshaking.

      • Host IP addresses: Update the host's IP addresses each time you scan. Recommended if the host's IP addresses change frequently.

        You can also select the OS and Server Application options here for updated information about:

        • Operating system

        • Server type

        • Server application

        • Application version

      Note

      Adding more scan options increases the scan’s burden on network resources, resulting in a longer scan time.

      Business unit (optional): Assign a business unit to the discovered certificates.

      Tags (optional): Use this option to add tags to your scan. The tags apply to all certificates found during network scanning. Use this to identify and manage the certificates configured on your network or any other network you manage.

    • Advanced settings:

      Scan performance: Use the performance options below to configure how quickly the scan is completed or to limit the impact of scans on network resources:

      • Aggressive scans place a larger burden on network resources and send out a large number of scan packets to the network. Network scan caps how many packets are sent to prevent an unintended number of packets from being sent.

      Note

      Using the aggressive setting may set off false alarms on Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).

      • Balanced scans have a balanced intensity and speed and is the default scan selected.

      • Slow scans limit the impact of the scan on network resources and reduce the number of IDS or IPS false alarms. They send a few scan packets at a time and wait for a response before sending more packets.

      Additional settings:

      • Specify ports to scan to verify host availability: The ports you specify here are only used to verify host availability. The first step in the scan process pings the host to verify its availability. If Internet Control Message Protocol (ICMP) pings are disabled on a host, use this setting to specify the ports that can be scanned to verify host availability. The fewer ports specified, the faster your scan.

  6. On the Schedule page, configure when to run the scan:

    • Configure your scan to run now or schedule it for later.

    • To set a limit for how long an unfinished scan should run before you stop it, select Stop if scan time exceeds and select a maximum run time.

  7. Save and schedule/Save and run.

    When you are done configuring, save your scan:

    • To run it now, select Save and run.

    • To run it later, select Save and schedule.

    Once the scan starts to run, the status can be tracked in the Network scans page.

What’s next

Your scan runs now or as scheduled. Scan completion time depends on network size and the scan performance settings selected during set up.

Once the scan run is complete, the result appears in the Network scans page. This includes the business unit associated with the scan, the frequency scheduled for the scan, the current and last scan statuses, and the discovered assets.

Certificates found through the scan are added to your Inventory and included in your Dashboard.