Certificate Discovery: Finding the Certs Your Team Forgot About

Your next certificate outage probably won’t come from a cert you’re tracking. It’ll come from one you didn’t know existed.

That self-signed certificate a developer spun up for a test environment two years ago. The wildcard cert someone installed on a load balancer during a weekend migration. The internal CA-issued certificate sitting on a legacy server that nobody touches anymore. These are the certificates that cause 3 AM phone calls and six-figure outage bills.

According to a Keyfactor-Ponemon Institute study, 71% of organizations don’t actually know how many keys and certificates are deployed across their infrastructure. And with 81% of companies experiencing at least one certificate-related outage in the past year, those blind spots aren’t just messy — they’re expensive.

Certificate discovery is the process of finding every single SSL/TLS certificate across your environment, including the ones nobody remembers installing. It’s the unglamorous first step of certificate lifecycle management, and skipping it is like changing the oil on your car while ignoring the engine light.

Why Forgotten Certificates Are Your Biggest Blind Spot

Every IT team has a spreadsheet. Maybe it’s a shared Google Sheet, an Excel file on someone’s desktop, or a OneNote page buried three notebooks deep. It tracks the important certificates — the ones on your public-facing websites, your VPN endpoints, your email servers.

But here’s the problem: that spreadsheet only knows what someone manually added to it.

Research from Venafi shows that roughly 40% of organizations have experienced security incidents involving rogue or unauthorized certificates. These aren’t certificates that were being tracked and accidentally expired. They’re certificates that nobody even knew were there.

Shadow certificates crop up in predictable ways:

• Developer test environments that became semi-permanent
• Proof-of-concept deployments that got promoted to production without proper documentation
• Mergers and acquisitions where certificate inventories were never consolidated
• Departmental IT purchases made outside the central team’s awareness
• Legacy systems that have been running quietly for years without anyone touching them

The average enterprise manages around 256,000 internal certificates, according to Keyfactor’s State of Machine Identity Management report. Even well-staffed teams struggle to keep track of that volume manually. And with certificate lifespans dropping — from 398 days currently down to 200 days starting March 15, 2026 — the margin for error keeps shrinking.

The Real Cost of What You Can’t See

Certificate outages aren’t cheap. An average certificate-related outage takes about 5.3 hours to resolve — 2.6 hours just to figure out what went wrong and another 2.7 hours to actually fix it. At an average cost of $9,000 per minute of downtime, a single outage can easily cost over $2.8 million.

But the financial hit is only part of the story.

When a forgotten certificate expires on a critical system, it triggers a cascade. Services fail. APIs break. Internal tools go down. Customers see error messages. Your security team drops everything to investigate. And it typically takes eight staff members to remediate a single outage, according to Keyfactor’s research.

The SpaceX Starlink outage is a perfect example. Satellites went offline for hours because of an expired ground station certificate. Ericsson’s expired certificate took down 4G and SMS service for 32 million people across 11 countries. Microsoft Teams and Outlook went dark because of a certificate issue. These were sophisticated organizations with massive IT budgets, and they still got caught off guard.

If it can happen to them, it can happen to your team.

What Certificate Discovery Actually Looks Like

Certificate discovery isn’t a one-time audit. It’s an ongoing process that should cover every corner of your infrastructure. There are three main approaches, and the strongest strategy uses all of them together.

CA Integration: Going Straight to the Source

If you’re running internal Certificate Authorities — Windows CAs, for example — you can pull certificate data directly from the source. This gives you a clean view of everything your CAs have issued, including certificates you might not have tracked at the endpoint level.

The catch? This only covers certificates issued by CAs you know about. Shadow IT certificate authorities — CAs set up by individual teams or engineers who needed certs fast — won’t show up here. And self-signed certificates bypass CAs entirely.

Network and Server Scanning: Finding What’s Actually Deployed

Scanning your servers and endpoints gives you ground truth. Instead of relying on what should be deployed, you see what actually is deployed. This catches self-signed certs, certificates from third-party CAs, and anything else that’s been installed on a machine.

Agent-based scanning — where a lightweight script runs on each server and reports back — tends to be the most thorough approach. It can check local certificate stores, application-specific keystores, and any custom paths where certificates might be stashed.

URL Monitoring: Catching Public-Facing Certificates

For certificates on web-facing endpoints, URL monitoring periodically checks the certificate presented by a given URL. This is particularly useful for catching certificates on load balancers, CDNs, and reverse proxies that might not show up in a server-level scan.

Five Signs Your Certificate Discovery Process Is Broken

Not sure if your current approach has gaps? Here are some warning signs:

1. Your certificate inventory lives in a spreadsheet. Spreadsheets are where certificates go to be forgotten. They don’t auto-update, they don’t send alerts, and they rely on someone remembering to add every new certificate manually. If your inventory is a spreadsheet, it’s already out of date.

2. You’ve been surprised by an expired certificate in the last year. If a certificate expired without your team knowing it was about to, that’s a discovery failure. It means the cert wasn’t in your tracking system, or your tracking system doesn’t actually work.

3. You don’t know how many certificates you have. If someone asked you right now for a total count of certificates across your entire infrastructure, could you answer? If the honest answer is “not really,” you have a discovery problem.

4. Different teams manage their own certificates independently. When the web team, the infrastructure team, and the application team all handle their own certs, you end up with fragmented visibility. Nobody has the full picture.

5. You can’t tell which servers a certificate is installed on. Knowing a certificate exists isn’t enough. You need to know where it lives — every server, every endpoint, every load balancer. Without that association, you can’t properly plan a renewal or assess the blast radius of an expiration.

Building a Certificate Discovery Strategy That Actually Works

Getting certificate discovery right requires a deliberate approach. Here’s a framework that covers the bases without overcomplicating things.

Start With What You Know

Pull certificate data from every source you currently track — your CAs, your existing spreadsheets, your ticketing system. This gives you a baseline. It won’t be complete, but it’s a starting point.

Deploy Agents Across Your Server Fleet

Install lightweight agents on your Windows and Linux servers to scan local certificate stores. This is where you’ll find the certificates that never made it into your manual tracking — the forgotten certs, the test certs, the certs that someone installed “temporarily” eighteen months ago.

The key here is making deployment easy enough that teams actually do it. If deploying an agent takes an hour of configuration and three approval tickets, coverage will be spotty. If it’s a quick script install, you’ll get much better adoption.

Monitor Your Certificate Authorities

Connect to your internal CAs so you get a real-time feed of every certificate they issue. This catches new certificates the moment they’re created, rather than waiting for someone to manually log them.

Scan Your External URLs

Set up URL monitoring for every public-facing endpoint. This covers certificates on load balancers and CDNs that server-level agents might miss.

Map Certificates to Infrastructure

This is the step most teams skip, and it’s arguably the most valuable. Once you know what certificates exist, you need to know where they live. A single wildcard certificate might be installed on fifteen different servers. When that cert approaches expiration, you need to know about all fifteen — not just the one you remembered.

CertMS handles this automatically. When both the CA monitor and server agents are running, it maps which certificates are installed on which servers, so you always know the full scope of any renewal.

Make It Continuous

Certificate discovery isn’t a project with a finish date. New certificates get issued, new servers come online, and people install things without telling anyone. Your discovery process needs to run continuously to keep your inventory current.

Preparing for the 200-Day Certificate Lifespan

Here’s why certificate discovery matters even more right now: starting March 15, 2026, maximum certificate validity drops to 200 days. By 2029, it’ll be down to just 47 days. That means the volume of renewals your team handles is about to increase dramatically.

When certificates lasted a year or more, a forgotten cert might sit unnoticed for months before becoming a problem. With 200-day lifespans, the window shrinks. With 47-day lifespans, a missed certificate becomes a crisis in weeks, not months.

Teams that don’t have full certificate visibility right now are going to get hammered by the shorter lifespans. You can’t renew what you can’t find, and you can’t find what you haven’t discovered.

How CertMS Tackles Certificate Discovery

CertMS was built specifically for this problem — finding certificates before they find you.

Rather than inserting itself into your certificate lifecycle, CertMS monitors it. That’s an important distinction. CertMS doesn’t issue or renew certificates for you. Instead, it watches your Certificate Authorities, scans your servers, and monitors your URLs to build a complete, always-current picture of every certificate in your environment.

Here’s what that looks like in practice:

• CA Monitoring: A lightweight PowerShell agent runs on your Windows Certificate Authorities and feeds certificate data into CertMS as certificates get issued. No manual entry required.
• Server Agents: PowerShell scripts for Windows and Bash scripts for Linux scan local certificate stores and report back. You get visibility into every certificate on every monitored server.
• URL Scanning: CertMS monitors your public-facing URLs and pulls certificate data automatically.
• Certificate-to-Server Mapping: CertMS connects the dots between certificates and the servers they live on. When a certificate is about to expire, you don’t just get an alert — you get a list of every server affected.
• Integrated Documentation: You can attach renewal documentation to specific certificates. When an alert fires or a help desk ticket gets created, that documentation travels with it. No more hunting for “how do we replace the cert on that weird legacy server” instructions.

The reporting and alerting system ties it all together. Schedule reports on expiring certificates, set up alerts at 90, 60, and 30 days, and configure integrations that automatically create help desk tickets or trigger webhooks when renewals are due.

Getting Started With Certificate Discovery

If you’re managing 30 or more certificates — and you suspect there are more out there that you don’t know about — here’s a practical path forward.

Week one: Deploy CertMS and connect your Certificate Authorities. This alone will surface certificates you may not have been tracking at the endpoint level.

Week two: Roll out server agents to your Windows and Linux machines. Start with production servers and expand from there. Pay attention to the certificates that show up that weren’t in your existing tracking — those are your blind spots.

Week three: Set up URL monitoring for all public-facing endpoints. Configure reporting and alerting so you know about expiring certificates well before they become emergencies.

Week four: Review your complete certificate inventory. Look for certificates that are expiring soon, certificates with weak encryption, and certificates that exist on multiple servers. Set up your help desk integration so that renewals automatically generate tickets with the right documentation attached.

From there, it’s about maintaining the habit. Keep agents deployed, keep monitors running, and review your dashboard regularly. Certificate discovery stops working the moment you stop paying attention.

Ready to find out what’s hiding in your infrastructure? Start a free trial of CertMS and see your complete certificate landscape for the first time.

---

Sources:

• Keyfactor 2024 PKI & Digital Trust Report
• Keyfactor-Ponemon Institute: State of Machine Identity Management
• Venafi: What Are Shadow Certificates?
• Sectigo: Certificate Outage Costs
• CyberArk: TLS Certificate Validity Cut to 47 Days
• CSO Online: Expired Certificates Cost Businesses $15 Million Per Outage
• Security Boulevard: The Hidden Cost of Certificate Outages

*Word Count: ~2,100 words*