Info: How do you restrict what certificates are discovered? – Venafi Customer Support

Applies to:All 6.x versions.

Summary:

There are three ways to restrict what Certificate Manger can discover in your network.

Simply do not include the ip address range in your discovery.
You can setup an exclusion object for a range of IP address.
You can setup an exclusion object to use a regular expression that looks for particular Issuer, Distinguished Name ( DN), or Subject DN.

More info:

Here are three ways to restrict what is discovered.

1: Restricting the ip range

When you setup the discovery merely choose the subnets you want discovery to operate in

2: Creating an exclusion object:

To configure the object, follow these steps.

Navigate to the discovery tree.
Select the root of the tree, and choose the drop down add option, to add an exclusion object. By default, there is an exclusion object already there, so you can use that one instead of creating a new one.
Configure the object by selecting either the ignored , excluded or advanced tabs. Each of these tabs are described in greater detail later in this article.

To configure your discovery object, follow these steps:

Select the discovery object.
Select the settings tab on this object.
Press the button called add, and browse to the exclusion object you created above.

3: Using a Regular express with the exclusion object:

If your system has certificates that can be expressed in a regular expression, such as HP Laser Jet printers, you can use the them to exclude those certificates from discovery. Regular expressions can only be used to exclude certificates, not select them.

Here's an example using HP Laser jet printers:

O=Hewlett-Packard\sCo.,\sCN=HP\sJetdirect

Or, If you want to do a simple “contains” statement, you can enter:

Jetdirect

If you want to use a regular expression to restrict certificates that are signed by specific Certificate Authorities, here are some tested examples.

TIP: The use of the carat symbol below - "^" - represents the anchor character for the start of the line.

Case independent search for the letters ‘RCA’ at any position in string

 (?i)rCa

Case independent search for the letters ‘Thawte’ at any position in string

(?i)tHaWtE

Case independent search for the phrase ‘CN=Test’ anchored at beginning of strin

(?i)^CN=TeSt

Case dependent search for phrase ‘CN=VenQA CA, DC=venqa, DC=Venafi, DC=com’

CN=VenQA CA, DC=venQA, DC=Venafi, DC=com

Case independent search for the word ‘Liability’ at any position in string

(?i)LIABILITY

More on Configuring your exclusion object:

An exclusion object can be configured to exclude certificates using these three tabs provided on the object:

Ignored tab - Allows you to chose an already configured object in your tree, such as a Policy object that includes certificates already under management. The discovery process will still probe all the ip addresses it's configured for, but once a discovered certificate matches those chosen here, they will be marked as hidden to prevent importing duplicate certificates.
Excluded tab - Allows you to setup an IP address range and/or a port range to be excluded from the discovery probe.
Advanced tab - Allows you to to configure a regular expression to be used to exclude certificates that display specific string paterns in either the Issuer DN, or the Subject DN sections of each certificate. This is useful in helping you exclude printer certificates in your tree. TIP: The regular expression is used only to exclude certificates from the discovery. It cannot be used to select certificates.