> ## Documentation Index
> Fetch the complete documentation index at: https://infisical.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Certificate Discovery

> Scan your infrastructure to find and inventory certificates.

Certificate Discovery automatically scans your infrastructure to find certificates you may not know exist. This gives you full visibility into your organization's certificate landscape — helping you identify expiring certificates, misconfigurations, and shadow PKI.

## How It Works

Discovery jobs scan your infrastructure and organize results as **installations** — unique locations where certificates were found. Each installation tracks certificates discovered at that location across multiple scans, allowing you to monitor changes over time.

<CardGroup cols={2}>
  <Card title="Network Discovery" icon="network-wired" href="/documentation/platform/pki/discovery/network">
    Scan network endpoints over TLS to discover certificates served by hosts across IP ranges and domains.
  </Card>
</CardGroup>

<Note>
  Additional discovery types (cloud providers, file systems, etc.) will be added in future releases.
</Note>

## Installations

An installation represents a unique location where a certificate was discovered — for example, a specific hostname and port combination.

**View installations:**

* From the **Installations** tab on the Discovery page
* From a specific discovery job's detail page
* From a certificate's detail page (shows where that certificate is deployed)

## Certificate Matching

Discovered certificates are matched to your existing inventory by fingerprint. If a discovered certificate matches one in your Infisical organization, the installation is linked to that certificate — giving you a unified view of where your certificates are deployed.

## FAQ

<AccordionGroup>
  <Accordion title="How are discovered certificates matched to existing certificates?">
    Discovered certificates are matched by their fingerprint (SHA-256 hash of the DER-encoded certificate). If a discovered certificate matches an existing certificate in your organization, the installation is linked to that certificate.
  </Accordion>

  <Accordion title="What happens when a certificate changes at an endpoint?">
    When a subsequent scan detects a different certificate at a location, the installation is updated to reflect the new certificate. The previous certificate association is preserved in the scan history.
  </Accordion>

  <Accordion title="Can I import discovered certificates into my inventory?">
    Yes — if a discovered certificate doesn't match any existing certificate, you can import it into your inventory to track and manage it alongside certificates issued through Infisical.
  </Accordion>
</AccordionGroup>

## What's Next?

<CardGroup cols={2}>
  <Card title="Network Discovery" icon="network-wired" href="/documentation/platform/pki/discovery/network">
    Scan TLS endpoints across IP ranges and domains.
  </Card>

  <Card title="Applications" icon="grid-2" href="/documentation/platform/pki/applications/overview">
    Issue and manage certificates for your services.
  </Card>

  <Card title="Alerting" icon="bell" href="/documentation/platform/pki/applications/alerting/overview">
    Get notified when discovered certificates expire.
  </Card>

  <Card title="Certificate Syncs" icon="arrows-rotate" href="/documentation/platform/pki/applications/certificate-syncs/overview">
    Push certificates to cloud destinations.
  </Card>
</CardGroup>