Hanzo
PlatformHanzo KMSPlatformPKIDiscovery

Network

Learn how to configure a Network discovery job to find certificates across your infrastructure.

Network discovery scans network endpoints over TLS to discover certificates served by hosts across IP ranges and domains. Optionally, you can use an KMS Gateway to reach endpoints in private networks that are not accessible from the internet.

  1. Navigate to your Certificate Management Project > Discovery and press Add Job. Discovery Page

  2. Fill in the discovery job details and click Create. Create Discovery Job

    • Name: A slug-friendly name for the discovery job (e.g., prod-tls-scan).
    • Description: An optional description for the discovery job.
    • Targets: A list of domains, IP addresses, or CIDR ranges to scan (e.g., example.com, 192.168.1.1, 10.0.0.0/24).
    • Ports: The ports to scan for TLS certificates. Defaults to common TLS ports if not specified.
    • Gateway (optional): The KMS Gateway to use for running the scan. Only required to reach endpoints in private networks.
    • Auto Scan: Toggle to enable automatic periodic scanning. When enabled, select a scan interval (e.g., daily, weekly).

    At least one target (domain or IP) must be specified.

  3. Trigger a scan manually by pressing Scan Now on the discovery job's page, or wait for the next automatic scan if auto scan is enabled. Scan Now

  4. After a scan completes, view the results on the discovery job's detail page: Scan Results

    • Installations: The unique locations where certificates were found.
    • Certificates: The certificates discovered at each installation, including details such as common name, issuer, and expiration date.
    • Scan History: A log of all scans that have been run, including status and timestamps.

To create a Network discovery job, make an API request to the Create Discovery API endpoint.

Sample request

curl --request POST \
  --url https://app.kms.hanzo.ai/api/v1/pki/discovery \
  --header 'Authorization: Bearer <access-token>' \
  --header 'Content-Type: application/json' \
  --data '{
    "projectId": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
    "name": "prod-tls-scan",
    "description": "Scan production network for TLS certificates",
    "type": "network-tls",
    "gatewayId": "550e8400-e29b-41d4-a716-446655440000",
    "isAutoScanEnabled": true,
    "scanIntervalInDays": 1,
    "targetConfig": {
      "ipRanges": ["10.0.0.0/24", "192.168.1.1"],
      "domains": ["example.com"],
      "ports": "443, 8443"
    }
  }'

To trigger a scan, make a request to the Trigger Scan endpoint:

curl --request POST \
  --url https://app.kms.hanzo.ai/api/v1/pki/discovery/<discoveryId>/scan \
  --header 'Authorization: Bearer <access-token>'

Limits

The following limits apply to Network discovery jobs:

  • Max individual IPs: 256
  • Max domains: 20
  • Max ports: 5
  • Minimum CIDR prefix: /24 (256 hosts)

How is this guide?

Last updated on

Overview

Learn how to discover certificates across your infrastructure with Hanzo KMS

Set Up Certificate Approvals

Step-by-step guide to configuring certificate approval workflows.

On this page

Sample request
Limits