Platform · Internal Discovery

Find the certificates the internet can’t see.

By Updated

Discover certificates across internal PKI, servers, applications, load balancers, appliances, Kubernetes clusters, and private infrastructure — reporting metadata only, never keys.

Scan your domain Book a demo
Metadata onlyADCS & VaultNo keys leave
internal inventory · corpagent · scanning
ad-fs.corp.localADCSfound
mesh.svc.localcert-manager14d
db.internalkeystoreexpired
vpn.corp.localWindows storefound
The problem

The riskiest certs are
the ones inside.

Internal certificates outnumber public ones many times over — and they’re the least visible, least monitored part of most estates.

Private PKI blind spot

Internal CAs like ADCS issue certs that public tools never see.

Sprawling networks

Certs hide on servers, appliances, and keystores across data centers.

Kubernetes churn

Service-mesh and ingress certs rotate constantly and untracked.

mTLS everywhere

Service-to-service certificates multiply faster than anyone tracks.

Zero-trust by design
Metadata leaves.
Private keys never do.

MachineCert discovers certificate metadata only — subject, issuer, validity, chain, key type. Private keys remain inside your environment. Air-gapped, on-prem, and regulated deployments supported.

How it works

Deep visibility,
nothing leaves.

1
Deploy the agent

A lightweight, read-only agent runs inside your network.

2
Scan locally

It reads certs from hosts, stores, and internal CAs.

3
Report metadata

Only metadata is sent — private keys stay put.

4
Unify

Internal certs join the same inventory as everything else.

Architecture

The agent reads
locally, reports metadata.

Inside your network
Windows / Linuxhosts · keystores
Active Directory CSinternal issuing CA
Kubernetescert-manager · mesh
HashiCorp VaultPKI engine
MachineCert agentmetadata only · no keys
Output
Internal inventoryunified
Monitoringexpiry · risk
Automationrenew internal certs
Outcomes

No more internal
blind spots.

Private PKI visibility

ADCS, Vault, and keystores finally in view.

Kubernetes coverage

cert-manager and service-mesh certs tracked.

Keys never leave

Metadata only — secrets stay in your network.

One inventory

Internal certs alongside public and cloud.

Automate internal renewal

Hands-off renewal for private certificates.

Network-wide scan

CIDR and host-based discovery at scale.

FAQ

Internal discovery,
answered.

Internal discovery finds certificates inside your private network — on Windows and Linux hosts, in Kubernetes, HashiCorp Vault, Active Directory Certificate Services, keystores, and the Windows certificate store — using a lightweight agent.
No. The agent reads and reports certificate metadata only — subject, issuer, validity, key type, chain, and host. Private keys are never collected, transmitted, or stored.
Certificates from servers and appliances, Active Directory Certificate Services (ADCS), Kubernetes (including cert-manager and service mesh), HashiCorp Vault, Java keystores, and the Windows certificate store.
It’s a lightweight, read-only agent deployed inside your network. It scans on a schedule and continuously, reporting metadata back over an encrypted channel.
Internal certificates typically far outnumber public ones and are the least visible part of an estate. Expired internal certs cause outages in mTLS, internal apps, and infrastructure that public tools never see coming.
Yes. The agent can operate within segmented environments and report metadata according to your network and security policies.
Internal discovery covers private infrastructure while public discovery covers the internet-facing footprint. Together they provide complete certificate coverage in one inventory.
Yes. Once discovered and inventoried, internal certificates — including those from ADCS, Vault, and cert-manager — can be brought into automated renewal workflows.
Explore the platform

Related capabilities

Certificate discoveryThe full discovery picture.Public discoveryCT logs and DNS.Cloud discoveryRead-only cloud connectors.InventoryOne searchable, risk-scored source of truth.Machine identityGovern every machine identity.Policy enforcementGuardrails for every certificate.
Get started

Illuminate your internal PKI.

Start with a public scan, then deploy the agent to bring every internal certificate into one inventory.

Book a demo