What is Discovery?
Certificate Discovery scans your environment continuously and builds a complete inventory of every TLS certificate present — regardless of which CA issued it, whether your team knows about it, or whether it was provisioned through CertForge at all. Discovery sources run simultaneously:- Certificate Transparency (CT) logs — public logs that capture nearly every publicly-trusted TLS cert issued. CertForge watches CT logs for your domains and surfaces any cert as soon as it appears.
- Active TLS scanning — CertForge connects to your registered hostnames and retrieves the certificate the server is actually serving. This catches certs that may not be in CT logs, including internally-issued certs.
- CA connector imports — certs pulled directly from external CA APIs (DigiCert, Sectigo, internal CAs) via the CA Connector framework.
Governance Status
Every discovered certificate gets one of three governance statuses:
Clicking Track on a discovered cert moves it to Tracked status. Clicking Dismiss marks it as a known false positive (excluded from reports).
Policy Mismatch Detection
When a discovered cert matches a Domain Trust Profile by domain pattern, CertForge evaluates it against that profile’s policy and flags any violations:- Wildcard not allowed — cert contains a wildcard SAN but the DTP prohibits wildcards
- Validity too long — cert’s validity period exceeds the DTP’s configured maximum
- EKU mismatch — cert contains an Extended Key Usage not permitted by the DTP
Discovery Page
Navigate to Discovery in the sidebar. The page shows all discovered certs with filters for:- Source: CT log / TLS scan / CA connector
- Governance status: Tracked / Untracked / Ungoverned
- Expiry: Active / Expiring ≤30 days / Expired
- Policy: Compliant / Policy mismatch
Dashboard KPIs
The Dashboard shows discovery metrics at a glance:- CA Inventory — count of certs imported via CA connectors
- Tracked — count of explicitly governed discovered certs
- Ungoverned — count of certs with no matching Trust Profile
Configuring Discovery Targets
Discovery runs automatically against domains registered in your Domain Trust Profiles. To add scan targets:- Go to Admin → Domain Trust Profiles
- Open a profile and ensure domains are registered
- CertForge begins scanning those domains on the next discovery cycle