MediumRunbook

Discovery Optimization Runbook

Find every certificate. Miss nothing. Break nothing. This runbook guides PKI teams through optimizing their certificate discovery process for comprehensive coverage.

2-4 hours
Last Updated: January 2026
Progress: 0/82 complete0%

When to Use

  • Running regular discovery scans and want to find more certificates
  • Discovery scans are taking too long or missing known certificates
  • Setting up discovery for the first time with commercial CLM or NMAP
  • Preparing for compliance audit that requires complete certificate inventory

Do NOT Use For

  • You need to renew a specific certificate (use Certificate Renewal Runbook)
  • Certificate has already expired (use Emergency Replacement Runbook)
  • Looking for general CLM concepts (see Certificate Discovery Guide)

Quick Reference (TL;DR)

  1. Define scope: IP ranges, ports, and exclusions
  2. Configure scanner with proper timeouts, SNI, and chain extraction
  3. Run scan with monitoring and adjust parameters as needed
  4. Analyze results, identify blind spots, and establish baselines

1Phase 1: Pre-Scan Preparation

Objective: Gather intelligence and define scan scope before running discovery

Quick scan of a subnet to test connectivity:

nmap -p 443 --script ssl-cert 10.0.0.0/24 -oX test-scan.xml

Extract hostnames from DNS zone file:

# If you have zone file access
grep -E "^[a-zA-Z0-9]" zone.db | awk '{print $1}' | sort -u > hostnames.txt

2Phase 2: Discovery Configuration

Objective: Configure scanner settings for optimal coverage and performance

NMAP with SNI and full options:

nmap -p 443,8443,9443 --script ssl-cert \
  --script-args ssl-cert.servername=www.example.com \
  -oX discovery-results.xml target-range

NMAP with multiple hostnames for SNI:

# Create hostnames.txt with one hostname per line, then:
for host in $(cat hostnames.txt); do
  nmap -p 443 --script ssl-cert \
    --script-args ssl-cert.servername=$host \
    target-ip >> results.txt
done

OpenSSL for single host verification:

openssl s_client -connect host:443 -servername hostname \
  </dev/null 2>/dev/null | openssl x509 -noout -dates -subject -issuer

💡 SNI is critical for finding certificates on shared hosting or CDNs

💡 Without proper SNI configuration, you may only find default certificates

3Phase 3: Execute Discovery

Objective: Run the scan with monitoring and adjust as needed

Monitor scan progress (NMAP):

# Press 'v' during scan to increase verbosity
# Check intermediate XML output for progress
wc -l discovery-results.xml

Identify failed hosts from NMAP output:

# Parse XML for hosts with no ssl-cert results
grep -B5 "script id="ssl-cert" output=""" results.xml

4Phase 4: Results Analysis

Objective: Validate results, categorize findings, and identify gaps

Parse NMAP XML for expiring certificates:

# Extract certificates expiring within 30 days
# Requires xmllint or similar parser
grep -oP 'Not After: \K[^<]+' results.xml | while read date; do
  exp=$(date -d "$date" +%s 2>/dev/null)
  now=$(date +%s)
  days=$(( (exp - now) / 86400 ))
  [ $days -lt 30 ] && echo "Expires in $days days: $date"
done

Quick count of certificates by issuer:

grep -oP 'issuer=\K[^/]+' results.txt | sort | uniq -c | sort -rn

5Phase 5: Optimization Actions

Objective: Improve future scans and establish ongoing monitoring

💡 Daily scans: High-change environments, CI/CD pipelines

💡 Weekly scans: Standard production environments

💡 Monthly scans: Stable infrastructure

💡 Quarterly: Full comprehensive scan with optimization review

Troubleshooting

Problem: High timeout rate (>10%)

Solution: Reduce parallelism, increase timeout values, check for network congestion or firewall drops

Problem: Missing certificates on known hosts

Solution: Add hostnames to SNI probe list - without SNI, you may only find default certificates

Problem: Partial chains extracted

Solution: This is usually a server misconfiguration, not a scanner issue. Flag for remediation.

Problem: Scan never completes

Solution: Break into smaller IP ranges, add stricter timeouts, check for hung connections

Problem: Zero results from subnet

Solution: Firewall is likely blocking scanner IP. Request exception from network team.

Problem: Duplicate certificates appearing

Solution: Normal for CDNs and load balancers. Deduplicate by thumbprint in reporting.

Related Resources

📖 Certificate Discovery Guide📖 NMAP Certificate Discovery📖 Agent vs Agentless CLM📖 What is Venafi?Certificate Renewal RunbookPKI Compliance ChecklistSSL/TLS Configuration Checker
← Back to Checklists Library