Skip to main content

What is Discovery?

Certificate Discovery scans your environment continuously and builds a complete inventory of every TLS certificate present — regardless of which CA issued it, whether your team knows about it, or whether it was provisioned through CertForge at all. Discovery sources run simultaneously:
  • Certificate Transparency (CT) logs — public logs that capture nearly every publicly-trusted TLS cert issued. CertForge watches CT logs for your domains and surfaces any cert as soon as it appears.
  • Active TLS scanning — CertForge connects to your registered hostnames and retrieves the certificate the server is actually serving. This catches certs that may not be in CT logs, including internally-issued certs.
  • CA connector imports — certs pulled directly from external CA APIs (DigiCert, Sectigo, internal CAs) via the CA Connector framework.

Governance Status

Every discovered certificate gets one of three governance statuses: Clicking Track on a discovered cert moves it to Tracked status. Clicking Dismiss marks it as a known false positive (excluded from reports).

Policy Mismatch Detection

When a discovered cert matches a Domain Trust Profile by domain pattern, CertForge evaluates it against that profile’s policy and flags any violations:
  • Wildcard not allowed — cert contains a wildcard SAN but the DTP prohibits wildcards
  • Validity too long — cert’s validity period exceeds the DTP’s configured maximum
  • EKU mismatch — cert contains an Extended Key Usage not permitted by the DTP
Violations appear as a red badge on the Discovery page. This gives your security team immediate visibility into out-of-policy certs already in production, without waiting for a manual audit.

Discovery Page

Navigate to Discovery in the sidebar. The page shows all discovered certs with filters for:
  • Source: CT log / TLS scan / CA connector
  • Governance status: Tracked / Untracked / Ungoverned
  • Expiry: Active / Expiring ≤30 days / Expired
  • Policy: Compliant / Policy mismatch
Each cert row shows the issuer, SANs, expiry date, discovery source, and any policy violations.

Dashboard KPIs

The Dashboard shows discovery metrics at a glance:
  • CA Inventory — count of certs imported via CA connectors
  • Tracked — count of explicitly governed discovered certs
  • Ungoverned — count of certs with no matching Trust Profile
See Dashboard for the full KPI reference.

Configuring Discovery Targets

Discovery runs automatically against domains registered in your Domain Trust Profiles. To add scan targets:
  1. Go to Admin → Domain Trust Profiles
  2. Open a profile and ensure domains are registered
  3. CertForge begins scanning those domains on the next discovery cycle
For CA connector-based discovery, see CA Connectors.