How to Discover SSL/TLS Certificates in Your Internal Network Without a CA

Discovery is a crucial step before implementing any SSL/TLS management solution, especially in complex or distributed IT environments.

To identify how many SSL/TLS certificates an organization has — without reaching out to the Certificate Authority (CA) — you can follow a technical discovery approach. Here's how:

🔍 1. Internal Network Scanning Tools Use network scanning tools to discover certificates in use across internal systems.

Recommended Tools:

• Nmap with the ssl-cert script: bash

  nmap -p 443 --script ssl-cert <IP-range>

This reveals certificate details (issuer, subject, expiry, etc.).

SSLyze – Fast scanning of SSL endpoints, retrieves cert data.

OpenVAS or Nessus – Enterprise-grade vulnerability scanners that can include cert discovery.

🗂 2. Asset Inventory Systems Check existing asset or configuration management tools like:

• CMDB (Configuration Management Databases)
• Endpoint Management tools like Microsoft SCCM or Lansweeper

These may contain data on certificate installations or services like IIS, Apache, or NGINX.

🧰 3. Agent-Based Certificate Discovery Deploy agents that search local machines for certificate stores:

• Windows Certificate Stores (certlm.msc, certmgr.msc)
• Linux keystores or specific locations like /etc/ssl/, /etc/pki/, etc.

You can automate this with:

• PowerShell scripts for Windows environments
• Bash scripts or Ansible for Linux environments

🌐 4. Passive Network Monitoring Use tools that sniff traffic and identify SSL/TLS handshakes:

• Wireshark (manual, good for spot-checks)
• Zeek (formerly Bro) – Advanced passive analysis, identifies certificates without scanning

These tools detect certs as clients connect to services

📦 5. Web Application & Server Logs Check reverse proxies, load balancers (like F5, NGINX, HAProxy), and WAFs.

These often terminate SSL and may log cert details or point to where they're stored.

📊 6. Commercial Certificate Management Solutions Some solutions offer discovery via:

• Network sweepers
• Agentless scanning
• Integration with APIs or DevOps pipelines

Examples: Venafi, AppViewX, Keyfactor, Sectigo Certificate Manager.

Note: These tools often don’t need the CA's help. They just look at the systems that are using the certificates.

✅ Summary To discover how many SSL certificates an organization has without contacting the CA, you should:

• Use network scans and agent-based discovery
• Query certificate stores and configuration files
• Leverage logs and monitoring tools
• Combine multiple methods for complete visibility

PowerShell Script: Discover Issued Certificates in Windows Personal Store

🔍 Targets

• LocalMachine\My (Personal Certificates for System)
• CurrentUser\My (Personal Certificates for Logged-in User)

$stores = @(
    "LocalMachine\My",
    "CurrentUser\My"
)

$results = @()

foreach ($store in $stores) {
    $storeScope, $storeName = $store -split "\\"
    $location = if ($storeScope -eq "LocalMachine") {
        [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine
    } else {
        [System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser
    }

    $x509Store = New-Object System.Security.Cryptography.X509Certificates.X509Store($storeName, $location)
    $x509Store.Open("ReadOnly")

    foreach ($cert in $x509Store.Certificates) {
        if ($cert.HasPrivateKey -and $cert.Subject -ne $null) {
            $results += [PSCustomObject]@{
                Subject      = $cert.Subject
                Issuer       = $cert.Issuer
                Thumbprint   = $cert.Thumbprint
                Expires      = $cert.NotAfter
                FriendlyName = $cert.FriendlyName
                Store        = $store
            }
        }
    }

    $x509Store.Close()
}

$results | Sort-Object Expires | Format-Table –AutoSize

Notes

• Run PowerShell as Administrator to access LocalMachine stores.
• Modify the $stores array to add more stores if needed (TrustedPeople, AuthRoot, etc.).
• You can export results to CSV:

$results | Export-Csv -Path "certificates_report.csv" -NoTypeInformation

Bash Script: Discover Installed SSL/TLS Certificates on Linux

🔍 What it Does:

• Scans common system paths where SSL certificates are stored: /etc/ssl/certs, /etc/pki/tls/certs, Apache, NGINX, and custom cert folders
• Extracts certificate metadata using openssl
• Outputs Subject, Issuer, Expiry Date, and File Path

#!/bin/bash

# Common locations to scan
CERT_DIRS=(
    "/etc/ssl/certs"
    "/etc/pki/tls/certs"
    "/etc/nginx"
    "/etc/apache2"
    "/usr/local/share/ca-certificates"
    "/opt"
)

echo -e "Found certificates:\n"
echo -e "File Path\t\t\tSubject\t\t\tIssuer\t\t\tExpires"

# Scan for certificate files
for DIR in "${CERT_DIRS[@]}"; do
    if [ -d "$DIR" ]; then
        find "$DIR" -type f \( -name "*.crt" -o -name "*.pem" -o -name "*.cer" \) 2>/dev/null | while read -r CERTFILE; do
            if openssl x509 -in "$CERTFILE" -noout &>/dev/null; then
                SUBJECT=$(openssl x509 -in "$CERTFILE" -noout -subject | cut -d'=' -f2-)
                ISSUER=$(openssl x509 -in "$CERTFILE" -noout -issuer | cut -d'=' -f2-)
                EXPIRES=$(openssl x509 -in "$CERTFILE" -noout -enddate | cut -d'=' -f2)
                echo -e "$CERTFILE\t$SUBJECT\t$ISSUER\t$EXPIRES"
            fi
        done
    fi
done