Skip to main content

Define discovery scope and sources of truth

Trust Architecture Playbook: Baseline pillar

Recommended initial scope

Trying to boil the ocean upfront is one of the fastest ways to stall a program before it delivers value, thus not everything needs to or should be in scope on day one. Start with what matters most and expand from there.

Primary focus

Your primary focus should be X.509 TLS certificates, both public and private, internal and external. These are the certificates most likely to cause an outage if they expire unnoticed, and the most likely to be subject to the validity reduction timeline bearing down on the industry. Prioritize discovery across infrastructure that serves traffic/workloads:

  • Network appliances / Load balancers

  • Ingress controllers

  • Web servers

Expand your scope

Once there's a solid discovery foundation, expand your scope where it's feasible:

  • Pulling in certificates and keys stored in vaults and keystores gives you the completeness you'll need when it's time to plan automation, or post-quantum cryptography (PQC).

  • Client and mTLS certificates surfaced through system scans and connectors add depth to your inventory.

Think of it as building a map, start with the main roads then fill in the side streets.

Practical source-of-truth hierarchy

When pulling certificate data from multiple sources there can be conflicting results, not as a failure of the process, but as an expected byproduct of comprehensive discovery. The key is having a defined hierarchy, so your team isn't wasting time debating which source to trust.

Establish a consistent precedence order and apply it uniformly. A reliable starting point is to trust issuing CA records first, followed by platform connectors, network scans, system scans, and CT monitoring as a final layer. Higher-fidelity sources rank higher — a connector talking directly to a platform knows more than a network scanner inferring from a handshake. That ordering cuts through the noise and keeps triage fast when something needs immediate attention.

提示

Best practice

Do not depend on any single discovery method, require coverage from at least two complementary sources.

本节内容如下: