Automation 03-25-2021

How to Gain Complete Control Over Your Certificate Inventory Through Discovery and Automation

Dr. Avesta Hojjati

TLS/SSL certificates need to constantly be monitored to remain compliant, stay safe from vulnerabilities and avoid expirations. But most organizations do not have a complete, real-time picture of their certificate landscape. Without visibility into your network, it is impossible to gain control over rogue or unrenewed certificates. However, visibility is much more than setting a reminder for expirations — it ensures you remain compliant and simplifies tracking and auditing.

Once you gain visibility, equally crucial is the ability to replace and revoke certificates quickly and easily. Without visibility and control, you cannot confidently confirm that there aren't any holes in your network's encryption, and your network could be at risk of a breach or fail a compliance audit. DigiCert Discovery and Automation makes it easy to increase efficiency by eliminating manual tasks, reducing risk and saving you time.

Reasons to gain control now

You need to gain control over your certificate inventory now to avoid costly outages, keep up with increasing certificate usage and remain compliant with the latest industry standards.

Is your organization’s certificate usage increasing?

About 80% of organizations estimate that their TLS usage will increase by a quarter in the next five years, and that growth can have increasingly detrimental consequences. Among CIOs, 85% believe that the growing complexity of IT systems is going to make outages all the more damaging. The more your usage scales, the more you need complete control and visibility to protect your network.

Are you compliant with current protocols?

Some organizations have been running outdated protocols for some time now. Using outdated TLS protocols leads to risk of sensitive data exposure and man-in-the-middle attacks. According to a recent NSA report, "Attackers can exploit outdated Transport Layer Security (TLS) protocol configurations to gain access to sensitive data with very few skills required."

In response, recently the NSA urged “all network owners and operators” to eliminate obsolete protocols from their networks, while requiring all publicly accessible federal websites to use updated protocols. "NSA recommends that only TLS 1.2 or TLS 1.3 be used, and that SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 not be used." Additionally, in 2020 all of the major browsers retired TLS 1.0 and 1.1 so you cannot use those protocols on public websites without getting the “not secure” warning. Gaining visibility and control over your certificate inventory gives you the ability to remain compliant with current industry standards.

How much do certificate outages cost?

Poorly managed TLS certificates can lead to costly outages and damage your organization’s reputation. Certificate outages can take several days to resolve and cost over $500,000 per hour. Large organizations can lose around $5,600 per minute from outages, and in 2019 the average cost of a data breach was $3.9 million.

Discovery – the first step to gain visibility & control

Discovery offers a real-time picture of your certificate landscape. DigiCert Discovery gives you options on running your next scan. Use our easy and fast cloud scan to capture your publicly facing certs without having to install anything. For a deeper scan you can deploy sensors to scan your network and find all your internal and public facing TLS certificates regardless of the issuing certificate authority (CA).

These sensors are small software applications that you install in strategic locations. You can deploy on premise, in the cloud or both, and scale with your usage. As more nodes are added to your network (i.e., more printers, servers, applications, etc.), more sensors can be deployed and scans can be modified as needed. You can deploy sensors and test them on a consistent basis (monthly, weekly, etc.) to make sure you don’t have rogue or unrenewed certificates and have the most compliant certificates installed.

1 The DigiCert Discovery Dashboard in CertCentral
Figure 1- The DigiCert Discovery Dashboard in CertCentral


Automation – the ultimate way to gain control over your certificate inventory

Once you’ve gained visibility over your certificate inventory, you need to be able to resolve any issues quickly and easily. Automation gives you control to save time and reduce risks by eliminating a manual renewal and installation process.

DigiCert CertCentral® has multiple ways to set up automation, including ACME, automation tools and APIs. For basic automation in any business type, CertCentral can manage multiple ACME clients from its UI that will run on Windows and Linux servers. For unlimited flexibility and customization, APIs can directly integrate CertCentral with your system or platform of choice. Finally, for scalable and managed automation features, DigiCert has a suite of enterprise automation tools that seamlessly integrate with other OEM solutions, such as largely deployed Load Balancers, F5, Amazon AWS, Citrix and more.

Whichever automation tools you choose, enabling automation with your certificate inventory helps save time and reduce risk. Additionally, you do not have to use Discovery to take advantage of DigiCert automation features.

2 Setting Up Automation Wizard in CertCentral
Figure 2 - Setting Up Automation Wizard in CertCentral


3 Automation Set Up in CertCentral
Figure 3 - Automation Set Up in CertCentral


4 ACME Directory in CertCentral
Figure 4 - ACME Directory in CertCentral


Discovery and Automation: built in DigiCert CertCentral®

DigiCert CertCentral® manages all TLS certificates throughout the certificate lifestyle. The award-winning platform features a rich automation suite, continuous updates and an API-based development structure for easy implementation into popular platforms and systems. CertCentral’s automated discovery provides visibility into an organization’s entire certificate landscape, including certificates from third-party CAs, for active management. CertCentral automates key management tasks — such as ordering, renewing, monitoring, inspecting, reissuing and revoking certificates. CertCentral is customizable and offers scalability from a single certificate to millions. A global solution, CertCentral TLS Manager supports 11 international languages and nine global currencies.

Easily set up automation with Digicert Enterprise Automation & Discovery Suite

Automating TLS certificates has never been easier than with DigiCert's CertCentral Enterprise’s Automation & Discovery Suite. Let our industry-unique Automation Wizard help you choose the correct soliton and configuration that best meets your organization's needs. Learn more about DigiCert CertCentral Discovery and Automation at


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 

Why Q-Day is closer than you think

The challenges of achieving crypto-agility for private keys