Certificate Authority Scan

AppViewX can communicate with CA and scan certificates. To discover certificates from a CA, the CA account must be determined under the AppViewX inventory settings.

To trigger a certificate authority scan:

  1. From the CERT+ menu, under CERTIFICATE DISCOVERY, select Discovery > Certificate Authority Scan.
    The Discovery : Certificate Authority Scan : Add Discovery page is displayed.
  2. In the Discover Details section, select/enter the following details:
    Table 1. Field descriptions for the Discover Details section
    Field Description
    *Discovery Run Type

    Click the check box to select the desired discovery run type. The possible types are:

    • On-demand - The user can trigger a discovery manually whenever he/she wants.
    • Schedule - By scheduling the discovery, the user can automate the process for a defined time/ frequency.
    Note: AppViewX will trigger the discovery certificates process for that instance.
    Discovery Instance Name Enter the name of the discovery instance.
    Description

    Enter the required details in this field.

    Note: You can enter a maximum of 2000 characters in this field.
    Note: The following fields are displayed only when Discovery Run Type = Scheduled.
    Occurrence Type
    From the dropdown list, from the following options, select an occurrence frequency:
    • Daily
    • Weekly
    • Monthly
    • Yearly
    *Repeat On
    Note: This field is displayed only when Occurrence Type = Weekly.
    Select the checkbox corresponding to the day of the week on which you want the discovery occurrence to repeat.
    *Starts On Click (Calendar widget) to select a date to start the scheduled discovery.
    *Ends From the following options, select when the scheduled discovery is to end:
    • Never: Discovery never stops.
    • After : Discovery stops after the number of occurrences specified in the text field.
    • On: Discovery stops on the date selected using the calendar widget .
    Summary Displays a summary of the selections made for scheduled discovery
  3. In the Discover By section, enter/select the following details:
    Table 2. Field descriptions for the Discover By section
    Field Description
    *Discovery From From the dropdown list, select the source for certificate discovery.
    *Select CA From the dropdown list, select a CA to view its managed accounts in AppViewX for certificate discovery.
    Note: Starting version 2021.1.0, on selecting the ACM Private CA, the regions configurated corresponding to the selected account are listed in the Region field.
    CA window All managed CAs will be listed in this CA window. Select the CAs you want to discover certificates from.

    The CA window has the following option:

    • Add as Favorites: You can mark your frequently used CAs as favorites.
    • All: Select this to see the complete list of CAs (unfiltered).
    • Selected: Select this to list only the selected CAs.
    • Unselected: Select this to list only the unselected CAs.
    • Delete: Delete the required CA(s) from the favorites list.
  4. In the Discovery Rules section, from the Associate Rule dropdown list, select a rule that will be used to filter the discovered certificates.
    A setof filters is combined to create a rule, from the Rules menu. The selection of rules will apply respective filters on discovered certificates.
  5. In the After Discover section, enter/select the following details:
    Table 3. Field descriptions for the After Discover section
    Field Description
    *Move Certificate to Inventory with Status Select from one of the following options:
    • Do not move: The newly discovered certificates and their objects will not be moved to the inventory.
    • Managed: The newly discovered certificates and their objects will be moved to the inventory with the status set to Managed.
    • Monitored: The newly discovered certificates and their objects will be moved to the inventory with the status set to Monitored.
    Use Access Control Rule To apply the rule configured using Access Control, select this checkbox.
    Note: If this checkbox is enabled, the certificate group will be associated automatically by the rule in access control.
    *Certificate Group From rthe dropdown list, select a certificate group to which the discovered certificates will be associated.

    Based on the group association, a policy will also be applied to these certificates, which will help ascertain compliance or non-compliance.

  6. Click Discover/Schedule to trigger the on-demand/scheduled discovery, respectively.
    Note: For EJBCA, the revoked certificates are not discovered. On discovery, the end certificates are discovered based on the days configured in the CA settings, the expired certificates are always discovered. The expiry days calculate from 0 - given value, for example, 0 -1500. On discovery, all the root and intermediate certificates that expire before 100 years will be discovered along with the end certificates by default. The discovered certificate count cannot be validated against the certificates present in the CA.