- The cert that causes the outage is the one nobody put in the inventory.
- Agentless-first discovery covers public, cloud, and read-only API surfaces in minutes.
- Deeper internal discovery uses lightweight collectors for private networks.
- Continuous reconciliation matters more than the initial scan.
Agentless-first discovery
Public discovery pulls from Certificate Transparency logs, DNS records, and direct TLS handshakes against your known endpoints. No agent. No installer. Read-only.
Cloud discovery uses native cloud APIs — AWS ACM, Azure Key Vault, GCP CAS, AWS PCA — to enumerate certificates already in the cloud-native cert store. Read-only API credentials only.
Kubernetes discovery reads cert-manager Custom Resource Definitions and reconciles against the actual cluster state. Surfaces drift the moment it appears.
Going deeper for private networks
Some certificates only live behind private networks — internal mTLS endpoints, vault-managed certificates, host-installed certs on segmented infrastructure.
For these, MachineCert ships a lightweight collector. The collector runs inside your network, reads what it can over read-only APIs, and reports to the control plane. It is not an agent on every host; it is one lightweight service that talks to many existing systems.
Why continuous matters more than initial
The first discovery scan tells you what was true at one moment. Continuous reconciliation tells you what changed.
New certificates appear constantly — a CI pipeline issues one, a Kubernetes controller rotates one, an engineer installs one for a quick fix. Without continuous discovery, the inventory drifts and the value erodes within weeks.