Securing your digital assets is paramount in today’s interconnected world, and managing SSL/TLS certificates is a critical aspect of this security. Digicert Certificate Scan Tool is designed to simplify this process by enabling users to efficiently scan their networks and identify the SSL/TLS certificates in use. Whether you are an IT professional, a network administrator, or responsible for website security, understanding how to effectively use this tool is essential. This guide provides a detailed walkthrough on configuring and utilizing the Digicert Certificate Scan Tool to ensure your digital infrastructure is secure and compliant.
The Digicert Certificate Scan Tool offers a range of customizable options to tailor scans to your specific needs. Let’s explore each step in detail:
1. Naming Your Scan for Easy Identification
The first step in setting up a scan is to give it a descriptive name. This is crucial for organization, especially when managing multiple scans. A well-chosen name helps you quickly identify and differentiate scans, allowing for efficient management and analysis of results. For example, you might name scans based on the date, the network segment being scanned, or the specific purpose of the scan, such as “Weekly External Scan” or “Internal Server Certificates Check.”
2. Selecting the Division and Sensor
Next, you need to choose the division associated with the sensor you intend to use for the scan. During the initial setup of the Digicert Certificate Scan Tool, sensors are assigned to specific divisions. This organizational structure ensures that you only see and utilize the sensors relevant to your assigned division, streamlining the scanning process and enhancing security by limiting access based on roles and responsibilities. If your account does not utilize divisions, you will see your organization name listed instead.
3. Specifying Ports for Scanning
Defining the ports for scanning is a critical step in targeting your certificate scan effectively. You have several options to specify which ports the tool will examine for SSL/TLS certificates:
- All: Selecting “All” instructs the tool to scan every port within a specified range. This is useful for a comprehensive scan to discover certificates on non-standard ports.
- Default: Choosing “Default” directs the scan to focus on commonly used ports for SSL/TLS certificates. These default ports include 443 (HTTPS), 389 (LDAPS), 636 (LDAPS), 22 (SSH), 143 (IMAP), 110 (POP3), 465 (SMTPS), 8443 (HTTPS Alternate), and 3389 (RDP). This option is ideal for quickly checking standard configurations.
Selecting the right ports ensures that your scan is both thorough and efficient, focusing on the most likely locations for SSL/TLS certificates within your network infrastructure.
4. Enabling SNI Scanning (Optional)
Server Name Indication (SNI) is an extension to the TLS protocol that allows a server to host multiple domains with their own SSL/TLS certificates on a single IP address. If your servers utilize SNI, enabling SNI scanning within the Digicert Certificate Scan Tool is essential to correctly identify and assess certificates for each domain hosted. It’s important to note that SNI scanning may have a limitation of up to 10 ports per server, and results may not always include IP information as part of the scan details.
5. Choosing the Sensor
Selecting the appropriate sensor is crucial for the execution of your scan. The sensor is the component that performs the actual scanning process. When configuring your scan, you will be presented with a list of sensors assigned to the division you selected earlier. Choosing the right sensor might depend on factors like network location, sensor load, or specific sensor capabilities if you have a complex deployment. Similar to division selection, if divisions are not in use, you will see your organization name instead of division-specific sensors.
6. Defining Scan Targets: IP Addresses and FQDNs
Specifying the targets for your scan involves defining the IP addresses and Fully Qualified Domain Names (FQDNs) that you want to include or exclude from the scanning process. The Digicert Certificate Scan Tool offers flexible options for defining these targets:
-
Include FQDNs and IP addresses: This option allows you to add specific targets to be scanned. You can include:
- Single IP addresses (e.g.,
192.168.1.10) - Ranges of IP addresses (e.g.,
192.168.1.1-192.168.1.255) - IP ranges in CIDR format (e.g.,
192.168.1.0/24) - FQDNs (e.g.,
www.example.com)
- Single IP addresses (e.g.,
-
Exclude FQDNs and IP addresses: Conversely, you can specify IP addresses or ranges to be excluded from a broader scan. This is useful when you want to scan a large network segment but need to skip certain addresses, such as test environments or devices known to be out of scope. Exclusion options mirror the inclusion options, supporting single IPs, IP ranges, and CIDR notation.
7. Managing Subdomains
The Digicert Certificate Scan Tool provides robust features for managing subdomains within your scans. In the scan list, you can refine your scan scope by including or excluding subdomains associated with your primary domains. The “Actions” column for each domain in the scan list provides the following options:
- Include all subdomains: This action automatically includes all discovered subdomains of a domain in your scan.
- Exclude all subdomains: This action prevents any subdomains of the domain from being scanned, which can be useful to narrow down the scan scope.
- Add subdomains or Edit subdomains: These options allow you to selectively choose specific subdomains to include or exclude. You can pick from a list of available subdomains that the tool has discovered.
- Delete: This option removes the IP/FQDN entry entirely from the scan list.
It’s important to understand how subdomain discovery works: The system typically displays subdomains that are one level lower than the main domain and only includes publicly listed subdomains. These subdomains are usually discovered through public DNS servers or Certificate Transparency (CT) logs, ensuring that you are working with publicly verifiable information.
8. Finalizing Scan Setup
Once you have configured all the necessary parameters—from naming your scan and selecting sensors to defining scan targets and managing subdomains—review your settings to ensure accuracy. After confirming your configuration, select “Next” to proceed and schedule or immediately run your certificate scan.
By following these steps, you can effectively utilize the Digicert Certificate Scan Tool to gain comprehensive visibility into your SSL/TLS certificate landscape. Regular scans help maintain robust security, identify vulnerabilities, and ensure compliance with security policies and industry standards.
