Quick start: Set up a cloud scan
Cloud scans use DigiCert’s hosted infrastructure to discover publicly accessible TLS/SSL certificates across your external-facing domains and IP addresses without the need for a sensor, helping you build a complete inventory of internet-exposed certificates in DigiCert® Trust Lifecycle Manager.
This quick start guide shows you how to create and run a cloud scan, and then review the discovered certificates in your inventory.
Objectives
Create a cloud scan to discover certificates on public domains and IP addresses.
Configure scan targets and ports, then run the scan.
Review scan results and view the certificates in your inventory.
 |
Before you begin
The Cloud Discovery feature must be enabled for your account. For help verifying or enabling this feature, contact your DigiCert account representative.
To configure cloud scans, you need the Manager user role for Trust Lifecycle Manager.
Gather needed information for configuring the scan:
Scan targets (public FQDNs or IP addresses) to scan.
The business unit to use for managing the discovered certificates and the scan itself.
To automatically assign metadata (tags and owners) to discovered certificates, configure metadata assignment rules to use with the scan.
Set up a cloud scan
Start by creating the scan and configuring basic properties for it.
In the Trust Lifecycle Manager menu, go to Discovery & automation tools > Network scans.
On the Network scans page, select Add scan.
On the General information screen, configure the following basic scan properties:
Scan name: Name your scan so you can identify it.
Business unit: Select the scan’s business unit. Only users assigned to this business unit can manage the scan.
Scan type: Select
Cloud scan.
Select Next.
On the Scan targets screen, define which targets to include or exclude. Cloud scans check only port 443, which is commonly used for HTTPS traffic.
Under IP addresses/FQDNs, add targets to include and exclude:
Include FQDNs and IP addresses: Enter targets and select Include. You can include a single IP address (8.8.8.8), a range (8.8.8.1-8.8.8.254), or a CIDR block (8.8.8.0/24).
Exclude FQDNs and IP addresses : Enter targets and select Exclude. You can exclude a single IP address, a range, or a CIDR block.
Optionally, import targets from a CSV file to include or exclude IP addresses and FQDNs.
Important
Private IP addresses and wildcard domains are not supported in cloud scans. If these are included in the uploaded CSV, they are automatically excluded, and you will receive an alert.
Select Next.
On the Scan options screen, select what information the scan collects and how it assigns metadata to discovered certificates.
Select the Enable deep scan checkbox to include additional data such as cipher suites, HTTP headers, and extended TLS/SSL protocol details, which may increase scan duration.
Business unit: (Optional) Assign a business unit to the discovered certificates. If selected, only admins in that business unit can manage the certificates.
Certificate assignment rules: (Optional) Select rules to automatically assign metadata (tags and owners) to the discovered certificates. This helps identify and manage the certificates in inventory.
Select Next.
On the Schedule screen, choose whether to run the scan now or schedule it for later:
Select one of the following options:
To finalize the scan, select one of the following:
What’s next
Your scan runs now or as scheduled. Scan completion time depends on network size and the scan performance settings selected during set up.
Certificates found through the scan are added to Inventory > Certificates and included in your dashboard.
When the scan run is complete, results appear in the scan listing on the Discovery & automation tools > Network scans page. Select the links in the Scan results column to view the discovered certificates.
Results are cached for up to 8 hours to optimize performance. After 8 hours, scan data expires and is no longer available in the UI.