Certificate discovery is the process of locating certificates already deployed across hosts, ports, DNS names, and services. It is the inventory foundation for lifecycle control because unmanaged certificates cannot be renewed, revoked, or audited reliably.
Expanded Definition
Certificate discovery is the inventory step that maps where certificates live across hosts, load balancers, ports, DNS names, applications, and services. In NHI and PKI operations, it is the point where teams turn unknown certificate sprawl into an addressable asset set for renewal, revocation, ownership, and audit.
Definitions vary across vendors on how far discovery should reach. Some tools focus on public-facing TLS certificates only, while others scan internal services, containers, and cloud workloads. For governance use, the broader view is usually more useful because certificates often appear outside formal CMDB records and outside the direct control of PKI teams. That is why discovery is closely tied to lifecycle management in the NHI Lifecycle Management Guide and to the visibility problems described in the Ultimate Guide to NHIs — Key Challenges and Risks.
The most common misapplication is treating certificate discovery as a one-time scan, which occurs when teams assume a single audit can replace continuous inventory.
Examples and Use Cases
Implementing certificate discovery rigorously often introduces scan noise and ownership ambiguity, requiring organisations to weigh faster visibility against the effort of validating each finding.
- Scanning internal web services to find expiring TLS certificates before an outage window, then assigning each certificate to a system owner for renewal.
- Mapping certificates embedded in Kubernetes ingress, API gateways, and service meshes so workload traffic can be traced back to a trusted issuer.
- Finding certificates on legacy servers that were deployed outside central PKI workflows, then bringing them into a renewal process with documented ownership.
- Correlating discovered certificates with DNS names and open ports to identify shadow services that were never registered in asset management.
- Using discovery output to support risk review after incidents such as the Sisense breach, where machine identity exposure becomes part of the broader attack path analysis.
For identity governance teams, discovery is the bridge between inventory and action, much like how the NIST Cybersecurity Framework 2.0 treats asset awareness as a prerequisite for protection and recovery.
Why It Matters in NHI Security
Certificate discovery matters because a certificate that is not known cannot be renewed on time, revoked after compromise, or audited for issuer, scope, or ownership. In practice, missing inventory becomes a control failure. NHI Mgmt Group research in the Ultimate Guide to NHIs — What are Non-Human Identities shows that only 5.7% of organisations have full visibility into their service accounts, and the same visibility gap usually affects certificates attached to those identities.
The risk is not only outage. Certificates often anchor mutual TLS, API authentication, and service trust chains, so undiscovered certificates can leave stale trust paths active long after systems are retired. The gap also complicates governance because teams cannot prove what they do not enumerate. That is why lifecycle controls and discovery need to be connected to formal inventory and monitoring processes, as reflected in the Top 10 NHI Issues.
Organisations typically encounter certificate discovery as an operational priority only after an expiry-driven outage, at which point inventory becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Discovery is the first step to inventorying and governing machine identities and certificates. |
| NIST CSF 2.0 | ID.AM-1 | Asset inventory controls require visibility into certificates as part of managed assets. |
| NIST Zero Trust (SP 800-207) | ID | Zero Trust depends on knowing trusted identities, endpoints, and credentials in use. |
Continuously enumerate certificates and owners so renewals, revocation, and audits are actionable.