6.1 Software Auto-Discovery
Automatically find and deploy to common software configurations
The CertKit Agent automatically scans the host for software utilizing TLS certificates. Discovered items appear on the agent detail page and can be used to create deployment configurations with pre-filled paths, formats, and update commands.
How Discovery Works
Discovery is read-only and non-invasive. The agent identifies certificates by:
- Linux: Scanning well-known configuration directories for web server directives (e.g.,
ssl_certificate,SSLCertificateFile). - Windows: Querying the OS via PowerShell cmdlets (e.g.,
Get-RemoteAccess,Get-RDCertificate,IIS:\SslBindings).
Each discovered item includes the certificate path, key path, and the domains covered by the certificate.
Supported Software
Linux
| Software | Discovery Method | Notes |
|---|---|---|
| Nginx | Scans /etc/nginx/ and /usr/local/etc/nginx/. Extracts ssl_certificate and server_name. |
Identifies individual server blocks. |
| Apache | Scans /etc/apache2/ or /etc/httpd/. Extracts SSLCertificateFile and ServerName. |
Supports separate chain paths. |
| HAProxy | Scans /etc/haproxy/. Extracts crt directives and follows crt-list. |
Supports single-file PEM bundles. |
| LiteSpeed | Scans /usr/local/lsws/conf/. Extracts sslCertFile and vhDomain. |
|
| Docker | Scans mounted volumes in the agent’s container for standard certificate paths. | Read-only scan of mounted volumes only. |
Windows
| Software | Discovery Method | Notes |
|---|---|---|
| IIS | Queries IIS:\SslBindings via the WebAdministration module. |
Reports individual site bindings. |
| Remote Desktop | Queries Win32_TSGeneralSetting and Get-RDCertificate. |
Reports per-role listener certificates. |
| RD Gateway | Queries Get-RDCertificate for standalone installs. |
|
| DirectAccess | Queries Get-RemoteAccess. |
Requires DirectAccess to be installed. |
| RRAS (SSTP) | Queries Get-RemoteAccess. |
Limitations
- Non-standard Paths: On Linux, software using non-standard configuration paths may not be detected.
- Unsupported Software: Application servers (e.g., Tomcat, JBoss) and certain web servers (e.g., Caddy, Traefik) are not currently auto-discovered. We’re always adding more so feel free to open an issue on our github repository about it!
- Windows Modules: Discovery for Windows services requires the corresponding PowerShell modules (e.g.,
WebAdministration) to be installed.
What if my Software isn’t Auto-Discovered?
Even if you’re running a common webserver like Nginx, it’s still possible to have custom installations or use non-standard paths. There’s thousands of other software packages that require TLS certificates - so many we’ll never be able to auto-discover all of them.
For software not covered by auto-discovery, we support a host of options. In simple cases you can use a generic deployment configuration. Specify the certificate format and paths and a simple reload command and you’re off to the races. For more complicated deployments (like to network appliances or very legacy software) you can make a custom template to match your scenario exactly.