Discovery of a TLS Certificate in Windows Server not found

Mercedes Pons 1
Tera Contributor

‎01-20-2023 08:57 AM

Hello,

 

As of today, I've been running Certificate Discovery for some months and already more than 2,500 Certificates are in our CMDB.  

Now I'm interested in discovering one Certificate in a Windows Server that expired last month and gave us issues, and I want to make sure I keep track of it in CMDB.  But for some reason Discovery doesn't capture this Certificate.

I could see the Certificate in the server and it doesn't have anything wrong, all fields are there and I'm wondering if I'm missing something in Certificate Discovery and maybe I'm not capturing all of them, or maybe it's just this specific one.

 

I've tried to find different questions/answers and I created 3 jobs to discover Certificates:

 

  • URL Certificate Discovery (this is what I usually run in our environment, discovers the servers, but no Certificate, not even a message in the log)
  • CA Trust Discovery (It doesn't discover anything at all, it starts but it doesn't Complete anything)
  • Import Certificates (it's giving me an Error of a missing attribute, but "fingerprint" is present in the Certificate, I can see it. 

Failed Exploring CI Pattern, Pattern name: Import SSL Certificates, To Check Pattern Log Press Here

Identification Engine: Discovery status is FAILURE, Required attribute fingerprint is missing for CI Type cmdb_ci_certificate

 

If you have any suggestion, I would appreciate.

 

Thank you

0 Helpfuls
  • 1,045 Views
2 REPLIES 2

Tom Brown
Mega Guru

‎03-24-2023 06:56 AM

I'm fighting with Import Certificate discovery at this point myself.  I found that if it doesn't find any certificates that it recognizes, it will return the missing fingerprint error.  I don't know if that's what you're seeing too, so your mileage may vary.

 

Also it appears to only see certificates with the .txt, .cert, .pem, and .der extensions.  I'm experimenting with changing the pattern to pick up other types.  So far I have it copying them to the MID for processing, but then  it deletes them and ignores them unless they're one of the four types mentioned.  No luck figuring out where those certificate extension types live currently.  My sources tell me that .cert is old and that they should be .cer these days.  Perhaps SN needs to look into this, since we have .pfx and .cer extensions too.  If I rename the .cer's to .txt or .pem, it captures them without problems.

0 Helpfuls

priya110
Tera Contributor

‎10-18-2023 03:34 PM

Hi,

 We are also looking to implement the certificate discovery using bulk import as we are interested to managing only 70 critical certificates for our environment and these are stored in shared folder. while testing this realized that discovery pattern will not process unless it is in one of the four formats you have mentioned so had to convert to txt and got it to work. Although the certificates got loaded into the instance, interesting we found that the thumbprint on the certificates was different in fingerprint field of the imported certificate. Example shown in the snap shot. Any idea why this is the case.

 

Thanks

 

priya110_0-1697668412660.png

 

0 Helpfuls