The high-level architecture integrates the following main components.

Discovery Scanners

Certificate Hub Discovery Scanners:

  • Search your enterprise's networks or portions of networks for the most recent information about deployed certificates.
  • Record each certificate's location, type, algorithms, and expiry, regardless of the certificate issuer.

Discovery Scanners are typically deployed on your premises, inside corporate firewalls, to access the internal private servers. However, only Discovery Scanners require this kind of deployment; you can deploy the other Certificate Hub components in a less restrictive environment.

When started, a Discovery Scanner:

  1. Contacts Certificate Hub to get the policy and scan configuration.
  2. Launches the Certificate Hub scheduling process for scanning.
  3. Executes one or more configured scans according to the calendar schedule and priority.
  4.  Periodically polls Certificate Hub for any policy and or configuration updates.

Discovery Scanners run a custom-built version of Nmap to scan ports, capture the returned SSL certificate chain, and transmit scan results to Certificate Hub for processing.

Entrust CA Gateway

Through Entrust CA Gateway, Certificate Hub obtains a direct feed of issued certificates from each supported Certificate Authority (CA).

  1. Entrust Authority Security Manager (on-prem and Entrust-managed).
  2. Entrust Public Certificate Services (ECS).
  3. Microsoft CAs.
  4. Entrust PKIaaS.

Thus, Certificate Hub can request certificates from all the CAs managed by a CA Gateway instance.

Certificate Hub

Certificate Hub is a container-based set of services amenable to either customer premises or commercial cloud hosting. Certificate Hub provides:

  • An API interface to the companion Certificate Hub browser UI.
  • The underlying certificate database.
  • The necessary background processes.