SSL Discovery

SSLClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. network discovery and monitoring is used to survey designated internet-facing or internal IP addresses and ports to locate and import certificates, as well as alert certificate owners when the certificates are nearing expiration or are not found. Discovery jobs scan network segments to locate certificates at TLSClosed TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. endpoints; whereas, monitoring jobs inspect certificates for health and expiration and notify recipients regarding the status of the certificates. With the introduction of the Keyfactor Universal OrchestratorClosed The Keyfactor Universal Orchestrator, one of Keyfactor's suite of orchestrators, is used to interact with Windows servers (a.k.a. IIS certificate stores) and FTP capable devices for certificate management, run SSL discovery and management tasks, and manage synchronization of certificate authorities in remote forests. With the addition of custom extensions, it can run custom jobs to provide certificate management capabilities on a variety of platforms and devices (e.g. F5 devices, NetScaler devices, Amazon Web Services (AWS) resources) and execute tasks outside the standard list of certificate management functions. It runs on either Windows or Linux., SSL discovery can scan TLS 1.3 endpoints using any of the 5 ciphersuites referenced in appendix B.4 of RFC 8446.

SSL network discovery and monitoring scanning is performed by orchestrators that are assigned to orchestratorClosed Keyfactor orchestrators perform a variety of functions, including managing certificate stores and SSH key stores. pools. An orchestrator pool contains orchestrators that support SSL discovery and monitoring capabilities for its networks. Orchestrator architecture allows for a pool of orchestrators to work in parallel to execute scan jobs. Based on defined schedules, Keyfactor Command creates discovery or monitoring scan jobs. Several scan jobs may be created from one large request. Orchestrators poll the Keyfactor Command Service to determine if scan jobs are available. Scan jobs are then executed by available orchestrators. Keyfactor Command automatically distributes the scanning load across the orchestrators in the pool by generating and managing individual scan jobs. Additionally, the orchestrator that discovers the certificate can be different than the orchestrator that monitors the certificate.

The orchestrator SSL scanning process will attempt to scan with and without server name indicationClosed Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target. (SNIClosed Server name indication (SNI) is an extension to TLS that provides for including the hostname of the target server in the initial handshake request to allow the server to respond with the correct SSL certificate or allow a proxy to forward the request to the appropriate target.) for endpoints specified by host nameClosed The unique identifier that serves as name of a computer. It is sometimes presented as a fully qualified domain name (e.g. servername.keyexample.com) and sometimes just as a short name (e.g. servername). during discovery scans and only use SNI during a monitoring scan if the endpointClosed An endpoint is a URL that enables the API to gain access to resources on a server. has an SNI name from the discovery scan. Whenever an endpoint is defined to scan by its host name, the orchestrator will try to scan that endpoint twice, one normal scan against the endpoint and one using the supplied host name as the SNI extension.

Keyfactor Command is installed with a Default Orchestrator Pool that holds all the orchestrators that have been configured for SSL network discovery and monitoring. Custom orchestrator pools can be created as needed.

Note:  The orchestrators in the network’s orchestrator pool must have access to the network the pool is assigned to scan. Ideally, orchestrators are placed in close network proximity to the addresses they are configured to scan. Scanning across WAN or slow network links can impact performance and potentially miss certificates due to timeouts or network congestion. Additionally, firewalls between the orchestrators and their target networks need to be configured to allow connections to the scanned addresses and ports.

SSL network discovery and monitoring is divided into three areas:

The SSL network discovery and monitoring features can only be used if at least one compatible (see the Compatibility Matrix) instance of the Keyfactor Universal Orchestrator or Windows OrchestratorClosed The Windows Orchestrator, one of Keyfactor's suite of orchestrators, is used to manage synchronization of certificate authorities in remote forests, run SSL discovery and management tasks, and interact with Windows servers as well as F5 devices, NetScaler devices, Amazon Web Services (AWS) resources, and FTP capable devices, for certificate management. In addition, the AnyAgent capability of the Windows Orchestrator allows it to be extended to create custom certificate store types and management capabilities regardless of source platform or location. is running in the environment and the orchestrator has been approved in the Management Portal. Keyfactor recommends that the orchestrator(s) used for SSL network discovery and monitoring be installed on a server other than the primary Keyfactor Command server(s) due to the resource requirements of the scanning process when scanning large network segments.

Tip:  Click the help icon () next to the SSL Discovery page title to open the embedded web copy of the Keyfactor Command Documentation Suite to this section.

You can also find the help icon at the top of the page next to the Log Out button. From here you can choose to open either the Keyfactor Command Documentation Suite at the home page or the Keyfactor API Endpoint Utility.