Post-Quantum Readiness
TLS Certificate Inventory: How to Find Every Certificate in Your Organization
Build a complete TLS certificate inventory across public endpoints, cloud KMS, CDNs, and vendor-managed certs. Step-by-step guide — plus a free, no-signup scan that finds every certificate on your domain in about 30 seconds.
TLS Certificate Inventory: How to Find Every Certificate in Your Organization Most organizations think they have 50 100 TLS certificates. When they actually inventory, the number is closer to 500 1,500. Forgotten subdomains, expired test certificates, CDN terminated endpoints, cloud load balancer certificates, and vendor managed TLS endpoints all hide from the central IT view. This guide covers every place TLS certificates live and how to find them — external and internal, managed and unmanaged. Why TLS Certificate Inventory Matters Now Three forces are converging that make certificate inventory urgent: 1. Certificate lifespans are shrinking. The CA/Browser Forum is pushing toward 47 day maximum validity. You cannot manually track certificate renewals at that cadence without an automated inventory. 2. PQC migration starts with certificates. Every TLS certificate using RSA or ECC must eventually be reissued with post quantum algorithms. You need to know which certificates exist before you can prioritize which ones to migrate. 3. Compliance requires it. PCI DSS 4.0 (Requirement 4), NIST SP 800 131A, CNSA 2.0, and DORA all require cryptographic visibility and certificate lifecycle management documentation. What a Complete TLS Certificate Inventory Includes For every certificate, record: Subject (CN and SAN entries — every domain it covers) Issuer (public CA, internal CA, self signed) Public key algorithm (RSA, ECDSA, Ed25519) and key size Signature algorithm (SHA 256 with RSA, ECDSA with SHA 256) Valid from / valid until dates TLS version negotiated on the endpoint Cipher suite in active use Host / endpoint the certificate is installed on Owner (which team manages this certificate) Renewal process (automated ACME, manual, vendor managed) Where Certificates Hide Layer 1: Public Facing Endpoints The most visible layer — and the easiest to inventory. External scanning tools connect to every domain you own and record the TLS certificate presented during the handshake. CipherReady automates this: enter a domain, run a scan, and within minutes you have a certificate by certificate inventory with algorithm, key size, issuer, and expiry data. Layer 2: Internal Services APIs, microservices, admin panels, database connections, and message brokers often use TLS internally — sometimes with self signed certificates, sometimes with internal CAs, sometimes with certificates that were issued once and never tracked. Internal inventory requires either agent based scanning (inspecting file systems, Java keystores, Windows certificate stores) or passive network monitoring at aggregation points. Layer 3: Cloud Load Balancers and CDNs AWS ALB, CloudFront, Azure Front Door, Cloudflare, and Fastly all terminate TLS on your behalf. Their certificates are configured through cloud console settings, not through your on premise certificate management tools. Each cloud provider has its own certificate store (AWS ACM, Azure Key Vault, GCP Certificate Manager) that must be inventoried separately. Layer 4: SaaS and Vendor Managed Endpoints When a vendor provides a service at yourcompany.vendor.com , the TLS certificate on that endpoint is managed by the vendor — but it represents your brand and protects your data. These certificates should be recorded in your inventory as vendor managed assets with the vendor listed as the owner and a link to their security documentation. Layer 5: Email Servers and Non HTTP TLS SMTP with STARTTLS, IMAP with TLS, database connections with