View scan details and results
To see details and results for existing network scans, select the scan by name from the Discovery & automation tools > Network scans page in DigiCert® Trust Lifecycle Manager.
Scan details
Verify the scan details in the following information sections.
Scan details section | Description |
|---|---|
Scan results | The number of discovered assets. Select the links to view the assets in your inventory. |
Scan activity | Details about current, past, and upcoming scans including the start time, duration, and status of each. |
General information | General configuration settings for the scan. |
Scan targets | The network targets for the scan. |
Scan options | Scan options including performance settings and tags for discovered assets. |
Schedule | The schedule for running the scan. |
Scan results
In the Scan results section of the scan details:
View the findings for completed scans, including discovered certificates, unsecured ports, and any trust chain issues.
To investigate further, select the discovered counts to load and manage the applicable records from the Inventory page.
Your account dashboard also includes data about cryptographic assets and security ratings discovered through network scans.
What data is collected?
For each discovered certificate, Trust Lifecycle Manager collects non-sensitive TLS settings and certificate properties that are accessible during a standard TLS/SSL handshake, plus deployment information about where the certificate is installed. This includes:
TLS settings
TLS protocols
Cipher suites
Handshake information
Security headers
Certificate properties
Certificate subject and issuer details
CA chain information
Key algorithm and length
Signature algorithm
Validity period
Subject Alternative Names (SANs)
Certificate identifiers and extensions (serial number, thumbprint, key usage, EKU)
Deployment information
IP address and port number
Host name and operating system
Application version (for example, web server or load balancer type)
How does the data get added to your inventory?
Endpoints
During a network scan, Trust Lifecycle Manager adds records to the Inventory > Endpoints table based on the scan target:
IP/port:
If it finds a TLS certificate on the IP/port, Trust Lifecycle Manager adds a record of that certificate instance.
The Location value for the endpoint record has the format
{ IP address : Port }.
FQDN/port:
SNI enabled (all ports): If it finds a certificate on the FQDN/port, Trust Lifecycle Manager adds a record for it with Location value
{ FQDN : Port }.SNI disabled (port 443): If it finds a certificate on port 443, Trust Lifecycle Manager adds a record with Location value
{ FQDN : 443 }. For all other ports, Trust Lifecycle Manager does not scan the FQDN when SNI is disabled.TDS protocol scanning enabled (TDS port): If it finds a certificate on the TDS port (default 1433), Trust Lifecycle Manager adds a record with Location value
{ FQDN : TDS port }.All FQDN scans: When scanning an FQDN target, Trust Lifecycle Manager always performs a domain lookup to find any IP addresses associated with that FQDN. It scans those IP addresses, and adds a separate endpoint record with Location value
{ IP address : Port }for each IP address where it finds a TLS certificate.
Certificates
Trust Lifecycle Manager also adds a record to Inventory > Certificates for each certificate it finds:
For each certificate, it adds a single record, regardless of the number of endpoints where it's present.
The Common name column in the table shows the certificate common name.
The Instances column lists the total number of endpoint instances where Trust Lifecycle Manager found that certificate.
View the discovery data in inventory
To see the details collected in a network scan, select each certificate or endpoint record from the Inventory page.
Identify records added by the scan
Use the following column filters to help identify records added by a network scan, in either the Inventory > Certificates or Inventory > Endpoints tables. If a column is not present, use the Add Column button on the top-right of the table to add it.
Filter | Description |
|---|---|
Source | Select |
Business unit | If you applied a specific business unit to the scan, you can filter by that business unit. |
Tags | If you used an assignment rule to apply tags to the scan results, you can filter by those tags. |
Endpoint details
From the Inventory > Endpoints table, select a certificate deployment location to see discovery data under the following details tabs.
Details tab | Description |
|---|---|
General information | Shows all deployment information found through the network scan. |
Certificate details
From the Inventory > Certificates table, select a discovered certificate by common name to see discovery data under the following details tabs.
Details tab | Description |
|---|---|
Certificate | Shows all certificate properties found through the network scan. |
Security | Shows the security rating that Trust Lifecycle Manager assigned to the certificate based on the data it collected. Select the link to view detailed information about how the security rating was calculated. |
Instances | Shows all the deployed instances of the certificate Trust Lifecycle Manager found. Select the links here to view the Endpoint details for each instance. |
Delete discovery data
You can delete discovery data from your account at any time, using one of the following methods. Select the links for more details about each:
Use the Inventory management functions to delete discovered assets individually or in bulk.
Use Account > Settings > Discovery to delete all discovery data by asset type from your account.
When you delete a discovered asset: