SSL Discovery

Documentation Suite v10.3

SSL Discovery

SSL TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. network discovery and monitoring is used to survey designated internet-facing or internal IP addresses and ports to locate and import certificates, as well as alert certificate owners when the certificates are nearing expiration or are not found. Discovery jobs scan network segments to locate certificates at TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. endpoints; whereas, monitoring jobs inspect certificates for health and expiration and notify recipients regarding the status of the certificates. With the introduction of the Keyfactor Universal Orchestrator The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux., SSL discovery can scan TLS 1.3 endpoints using any of the 5 ciphersuites referenced in appendix B.4 of RFC 8446.

SSL network discovery and monitoring scanning is performed by orchestrators that are assigned to orchestrator Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. pools. An orchestrator pool contains orchestrators that support SSL discovery and monitoring capabilities for its networks. Orchestrator architecture allows for a pool of orchestrators to work in parallel to execute scan jobs. Based on defined schedules, Keyfactor Command creates discovery or monitoring scan jobs. Several scan jobs may be created from one large request. Orchestrators poll the Keyfactor Command Service to determine if scan jobs are available. Scan jobs are then executed by available orchestrators. Keyfactor Command automatically distributes the scanning load across the orchestrators in the pool by generating and managing individual scan jobs. Additionally, the orchestrator that discovers the certificate can be different than the orchestrator that monitors the certificate.

The orchestrator SSL scanning process will attempt to scan with and without server name indication Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target. (SNI Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target.) for endpoints specified by host name The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). during discovery scans and only use SNI during a monitoring scan if the endpoint An endpoint is a URL that enables the API to gain access to resources on a server. has an SNI name from the discovery scan. Whenever an endpoint is defined to scan by its host name, the orchestrator will try to scan that endpoint twice, one normal scan against the endpoint and one using the supplied host name as the SNI extension.

Keyfactor Command is installed with a Default Orchestrator Pool that holds all the orchestrators that have been configured for SSL network discovery and monitoring. Custom orchestrator pools can be created as needed.

Note: The orchestrators in the network’s orchestrator pool must have access to the network the pool is assigned to scan. Ideally, orchestrators are placed in close network proximity to the addresses they are configured to scan. Scanning across WAN or slow network links can impact performance and potentially miss certificates due to timeouts or network congestion. Additionally, firewalls between the orchestrators and their target networks need to be configured to allow connections to the scanned addresses and ports.

SSL network discovery and monitoring is divided into three areas:

Network Definitions
Network definitions are used to define a collection The certificate search function allows you to query the Keyfactor Command database for certificates from any available source based on any criteria of the certificates and save the results as a collection that will be availble in other places in the Management Portal (e.g. expiration alerts and certain reports). of networks that will be scanned by the designated orchestrator pool. Networks are defined using IP addresses, ports and hostnames. Within this option, you can schedule discovery and/or monitoring tasks. You can also configure networks to automatically tag a discovered endpoint with a certificate for monitoring.
Orchestrator Pools Definition
On the orchestrator pools definition tab you define a group of available orchestrators that support the SSL discovery and monitoring capabilities. For each orchestrator added to the orchestrator pool, you can select discover and/or monitor option(s).
Results
The results tab shows the results of endpoints that have been scanned, including both positive (true, a certificate was found) or negative (false, a certificate was not found) results. If a response was received from an endpoint during a scan, it is included in the results; negative results are hidden by default. The Monitor Status (True/False) and Reviewed Status (True/False) of an endpoint are included in the results tab.

The SSL network discovery and monitoring features can only be used if at least one appropriate instance of the Windows Orchestrator The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. version 6 or above or Keyfactor Universal Orchestrator version 9 or above is running in the environment and the orchestrator has been approved in the Management Portal. Older versions of the Windows Orchestrator do not support the version of SSL management found in Keyfactor Command version 6 and later. Keyfactor recommends that the orchestrator(s) used for SSL network discovery and monitoring be installed on a server other than the primary Keyfactor Command server(s) due to the resource requirements of the scanning process when scanning large network segments.

Tip: Click the help icon (

) next to the SSL Discovery page title to open the embedded web copy of the Keyfactor Command Reference Guide to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.

SSL Discovery

Products

Solutions

Resources

Company