Discovery
sslbrain can scan your network to find all servers and devices using TLS certificates. Discovery gives you visibility into your environment without manually adding each endpoint.
Network Scanning
Network scanning finds endpoints in specified IP ranges. sslbrain scans the most common TLS ports and reports what responds.
Setup
- Go to Discovery > New Scan
- Specify IP ranges (e.g.
10.0.0.0/24or192.168.1.1-192.168.1.254) - Select which ports to scan
- Click Start Scan
Ports
| Port | Service |
|---|---|
| 443 | HTTPS (web servers, applications) |
| 8443 | HTTPS (alternative ports, management interfaces) |
| 3389 | RDP (Remote Desktop) |
| 636 | LDAPS (Active Directory) |
| 993/995 | IMAPS/POP3S (mail) |
| 25/465/587 | SMTP/SMTPS (mail) |
You can add custom ports if your organisation uses non-standard ports for TLS services.
Certificate Discovery
Certificate discovery connects to each TLS port found and retrieves the certificate. sslbrain analyses the certificate and records:
| Information | Description |
|---|---|
| Subject / SAN | Domain names and IP addresses in the certificate |
| Issuance and expiry | When the certificate is valid from and until |
| CA | Issuer (Let's Encrypt, DigiCert, Sectigo, internal CA, etc.) |
| Chain | Whether the certificate chain is complete and trusted |
| TLS version | Protocol version and cipher suites in use |
| Issues | Expired certificates, incomplete chains, weak ciphers, self-signed |
Discovered certificates can be added to sslbrain directly from the scan results.
Scheduled Scanning
Configure scheduled scanning to detect new endpoints and changes in your network automatically.
- Go to Discovery > Scheduled Scans
- Select an existing scan configuration or create a new one
- Set frequency: daily, weekly or monthly
- Choose a time (run scans outside peak hours)
sslbrain compares results from scan to scan and notifies you about:
- New endpoints with TLS certificates
- Certificates approaching expiry
- Changes in chain or TLS configuration
- Endpoints that no longer respond
Tip: Scheduled scanning is the best way to ensure no certificates in your network go unnoticed. Combine it with notifications to be alerted about new findings.
Results
Scan results are displayed under Discovery > Results with a status indicator per endpoint found.
OK
Valid certificate with complete chain. Does not expire within 30 days.
Warning
Certificate expiring soon, incomplete chain, or weak cipher suites.
Critical
Expired certificate, self-signed in production, or TLS 1.0/1.1.
From the results view you can:
- Add a discovered endpoint to sslbrain
- Order a new certificate for the endpoint
- Export the results as CSV for reporting