Skip to main content

Enable cloud scans

Before you begin

  • The DigiCert​​®​​ Trust Lifecycle Manager Cloud Discovery feature must be enabled for your account in DigiCert® Account Manager. Contact your DigiCert account representative to verify or enable this feature.

  • To configure cloud scans, you need the Manager user role for Trust Lifecycle Manager or a custom role with the Network scans Manage permission. To learn more, see Users and access.

  • Gather needed information:

    • The business unit to assign the network scan to (only users assigned to this business unit can manage the scan).

    • The FQDNs and/or IP addresses you want to scan.

    • Whether you are using Server Name Indication (SNI) to serve multiple domains from a single IP address.

Scan Configuration

Step 1: General Information

On the General information page, configure the basic properties for the new scan:

  1. In the Trust Lifecycle Manager account, in the left main menu, go to Discovery & automation > Network scans.

  2. On the Network scans page, select Add scan.

  3. On the General information page, configure the following basic properties for the new scan:

    • Scan name: Enter a descriptive name for the scan.

    • Business unit: Select the business unit this scan belongs to.

    • Scan type: Select Cloud scan. This option is used to scan IP addresses/FQDNs of public facing TSL/SSL certificate, regardless of issuing certificate authority(CA).

      참고

      The Sensor scan option is an sensor-based scanning system that is used to scan private Ips/FQDNs. To add or manage a sensor, see Network scans.

  4. Select Next.

Step 2: Scan targets

This section allows you to specify the target resources you want to scan using Cloud scan. Cloud scan checks only port 443, which is commonly used for HTTPS traffic.

  1. IP addresses/FQDNs: Define scan targets by entering individual IP addresses, Fully Qualified Domain Names (FQDNs), or IP ranges using CIDR notation. Alternatively, you can use the import from CSV option to upload a list of targets. Once added, the selected targets appear in the Include panel (right side), where they can be reviewed, modified, or removed before proceeding.

    The left panel is the exclude panel, and the right panel is the Include panel. Manually enter IP addresses or FQDNs in the exclude panel and use the Include button to move individual entries to the Include panel.

    You can also exclude specific IP addresses or FQDNs from the scan. Use the action controls to move entries between the Include and Exclude panels or to delete them entirely.

  2. Select Next to continue with the configuration process.

중요

Private IP addresses and wildcard domains are not supported in Cloud Scan. If these are included in the uploaded CSV, they are automatically excluded, and you will receive an alert.

Step 3: Scan options

This is an optional section. It allows you to enhance and organize your cloud scan results in Trust Lifecycle Manager.

  1. Select the Enable deep scan checkbox to include additional data such as cipher suites, HTTP headers, and extended TLS/SSL protocol details, which may increase scan duration.

  2. Select the Business unit from where you want the scan to happen.

  3. Select the certificate assignment rules to automatically tag and organize discovered certificates based on predefined criteria.

  4. Select Next to continue with the configuration process.

Step 4: Schedule

On the Schedule page, configure when to run the scan. The available options are:

  • Run now: Select this option if you want to execute the scan immediately.

  • Schedule for later: Select this option if you want to schedule the scan. When scheduling, use the time picker to define scan time, Frequency (Once, Weekly, and Monthly), and Timezone preferences.

Step 5: Save and run

Once the above configuration steps are completed, select Save and run to start the scan immediately. You can monitor the scan status on the Network scans page.

What’s next

Your scan will run as configured. Completion time depends on the number of targets and network responsiveness.

After completion:

  • Once the scan run is complete, the result appears in the Network scans page. This includes the scan type name, business unit associated with the scan, the frequency scheduled for the scan, the current and last scan statuses, and the discovered assets.

  • Certificates found through the scan are added to your Inventory and included in your Dashboard.

  • Results are cached for up to 8 hours to optimize performance. After 8 hours, scan data expires and is no longer available in the UI.

    For example: If you perform a scan at 10:00 AM, the results will remain accessible in the UI until 6:00 PM. After 6:00 PM, the scan data will expire, and you’ll need to run a new scan to view updated results.

이 섹션의 내용: