Skip to main content

Enable system scans

You configure and manage system scans from the Discovery & automation tools > Agents page in DigiCert​​®​​ Trust Lifecycle Manager.

You can enable system scans for:

  • A single DigiCert agent.

  • Multiple selected agents in bulk.

  • A pre-configured agent group.

Before you begin

Make sure there is an active DigiCert agent on each host system to scan. See Prerequisites.

Scan configuration options

General system scan options are the same regardless of whether you configure them for a single agent or multiple agents.

What to scan for

Select which cryptographic assets to look for, and where.

  • Operating system certificate store: Look for certificates in the OS truststore.

  • File system: Search the selected assets on the host filesystem.

    • Certificates, public, and private keys: Search for all certificate and key files.

    • Archive files and Keystores: Search for certificates and keys in archive files and keystores.

Aviso

The more assets and locations you select, the longer the scan takes to complete.

Assign and identify assets

(Optional) Configure options to help manage the discovered assets in Trust Lifecycle Manager.

  • Business unit: Assign discovered assets to a specific business unit. Administrators assigned to that business unit can manage the assets.

  • Tags: Apply tags to the discovered assets. Tags help you filter the assets in Trust Lifecycle Manager inventory and set up reports and notifications for them.

Schedule

Select options for when to run the scan.

  • Start now: Run a one-time scan starting now.

  • Schedule for later: Schedule the scan for a later date and/or set up recurring scans at the frequency you select.

Aviso

The first time you run a scan, it looks for all the cryptographic assets you selected. Use recurring scans to run incremental updates and keep your Trust Lifecycle Manager inventory updated as new cryptographic assets get added to each host system.

Set up a scan

Single agent

To enable system scans for a single DigiCert agent:

  1. Select Discovery & automation tools > Agents from the Trust Lifecycle Manager main menu.

  2. Select the agent for the host system you want to scan.

  3. On the agent details page, open the System scans tab.

  4. Select Configure system scan.

  5. Configure the scan options in the sidebar that appears.

  6. Select Save to finish and enable the scan for the current agent.

Multiple selected agents

To enable system scans for multiple DigiCert agents:

  1. Select Discovery & automation tools > Agents from the Trust Lifecycle Manager main menu.

  2. Select the checkboxes next to the agents for the host systems you want to scan.

  3. Hover one of the selected agent names, open the Bulk actions dropdown next to it, and select System scan > Configure.

  4. Configure the scan options in the sidebar that appears.

  5. Select Save to finish and enable the scan for the selected agents.

Agent groups

To configure a system scan for a group of DigiCert agents, first configure the agent group. Refer to Agent groups for more details.

To enable system scans for all agents in an agent group:

  1. Select Discovery & automation tools > Agents from the Trust Lifecycle Manager main menu.

  2. In the More actions dropdown above the agents table, select the option to Configure system scan for agent groups.

  3. Select one or more agent groups from the Agent groups dropdown in the sidebar that appears. The scan will be enabled for all agents in all agent groups you select.

  4. Configure the general scan options in the sidebar.

  5. Select Save to finish and enable the scan for the selected agent groups.

View scan details

To verify the current scan configuration and see upcoming and past scans for an agent:

  1. Select Discovery & automation tools > Agents from the Trust Lifecycle Manager main menu.

  2. Select the agent for the host system you want to view scan details for.

  3. On the agent details page, open the System scans tab.

Global system scan blocklist

Use the system scan blocklist settings to specify absolute paths of files, folders, or complete disk drives to exclude from system scanning for all Linux or Windows agents. To manage the blocklist:

  1. From the Trust Lifecycle Manager main menu, select Account > Settings > System scan.

  2. To add paths to the blocklist:

    1. Enter comma-separated absolute paths in the Paths window on the left. You can enter a mix of Windows and Linux paths.

    2. Select the Add to blocklist button to add the paths you entered to the current blocklist.

  3. To remove paths from the current blocklist on the right:

    • To remove a single path from the blocklist, open the actions (three dots) menu for it and select Delete.

    • To bulk remove multiple paths from the blocklist, use the checkboxes to select the applicable paths, then open the Bulk actions dropdown for one of them and select Delete.

    • To remove all paths from the blocklist, select the Remove all link above the blocklist table.

  4. Select Save to apply the new settings. Paths in the saved blocklist will be skipped for all subsequent system scan runs by any DigiCert agent.

Usage notes:

  • Use the Reset function to reset the system scan blocklist to the default paths for Windows and Linux agents.

  • To download the current blocklist as a CSV file, select the Export link above it.

What’s next

  • Manage system scans to make changes to existing scans, such as editing, canceling, rescheduling, or suspending/resuming them.

  • When the scans finish running, view the scan results in Trust Lifecycle Manager to see the cryptographic assets and security issues discovered by your DigiCert agents.