Discovery overview and architecture
Trust Architecture Playbook: Baseline pillar
Why discovery matters now
Certificate outages are almost always a visibility problem. When teams don't have a complete, accurate picture of every certificate in their environment (what it is, where it lives, and who owns it) renewals get missed, notifications go to the wrong people, and expiration sneaks up on even experienced teams. The gap between we have certificates and we know the state of every certificate is where outages are born.
Discovery is where that changes. Before you can automate, or enforce policy, or even respond to an incident with confidence, you need to know what you have. A comprehensive discovery strategy provides that foundation: a live, authoritative inventory that maps every certificate to its deployment context and owner means the right people get alerted at the right time, with enough runway to act.
And the urgency is only increasing. The CA/Browser Forum is reducing the maximum validity for public TLS certificates on a defined schedule. This means renewals will happen more frequently, and you need to be prepared. Organizations that rely on manual tracking, spreadsheets, and calendar reminders will feel the compression immediately. Automation is the only practical path to staying compliant, reducing risk, and keeping your security team focused on higher-value work, and that begins with discovery.
Even for organizations without a heavy reliance on public-trust TLS certificates today, discovery and inventory are prerequisites for effective management of internal mTLS, service identity, and secure-by-default platform patterns, as well as post-quantum cryptography (PQC) efforts.
Discovery architecture for Trust Lifecycle Manager
In a SaaS certificate lifecycle management model, intelligence lives in the cloud, but the work still happens on the client side of the network. The management plane is hosted and maintained by DigiCert, but within your environment, you deploy lightweight components designed to operate within your environment to meet a specific goal:
Sensors handle connector execution and internal network-level discovery (for example, scanning your infrastructure to surface certificates).
Agents go deeper, operating at the host level to enable automated renewal, deployment, and real-time status reporting directly from the systems that hold the certificates.
Together, sensors and agents help inform Trust Lifecycle Manager about what's present/running in your environment.
This architecture keeps the operational overhead low while providing the visibility and automation reach that centralized certificate lifecycle management requires. Cloud simplicity without sacrificing the depth of coverage your environment demands.
 |
Important
Security control
Because sensors and agents operate as privileged infrastructure, use least-privilege service accounts, access control lists, and controlled egress as appropriate to your security model/requirements.