About certificate reconciliation during discovery

Certificate reconciliation is the automatic process that Certificate Manager - Self-Hosted uses to combine newly discovered certificates with existing certificate objects to maintain a single, current record for each certificate.

When reconciliation happens

Reconciliation happens during these discovery methods:

  • Network Discovery: When Network Discovery scans IP addresses and ports to discover SSL certificates and SSH server keys
  • Agent Discovery: When Agent Discovery uses Server Agents to discover certificates on managed devices

NOTE  Certificate reconciliation does not apply to CA Import or Onboard Discovery jobs. These discovery methods use different certificate handling logic.

How reconciliation works

When Certificate Manager - Self-Hosted discovers a certificate through Network Discovery or Agent Discovery, it checks whether the certificate matches an existing certificate object in the Policy Tree.

Matching criteria

Certificate Manager - Self-Hosted uses these criteria to match discovered certificates with existing ones:

  • The subject, key usage, and enhanced key usages must be identical
  • The SAN DNS (Subject Alternative Name DNS) information must be similar enough to match (other SAN types such as IP addresses are not used in matching):
    • If there are 1 to 4 SAN DNS entries on the certificate, all must match
    • If there are more than 4 SAN DNS entries, at least 50% must match. For example, if 5 SAN DNS entries are found, at least 3 must match.

Certificates matching all criteria are reconciled.

What happens during reconciliation

When a discovered certificate matches an existing one, Certificate Manager - Self-Hosted reconciles them:

  1. Certificate Manager - Self-Hosted compares the Valid From (or Not Before) dates to determine which certificate is newer.
  2. The newer certificate becomes the active certificate in the certificate object.
  3. The older certificate is moved to the Previous Versions tab in the certificate details.
  4. All certificate installations from both certificates are combined in the certificate object.
  5. Subject Alternative Name (SAN) settings are updated: If the discovered certificate is newer and has different SAN DNS entries, Certificate Manager - Self-Hosted automatically updates the SAN DNS renewal settings to match. This ensures that renewed certificates include all current SANs from the deployed certificate. Only SAN DNS entries are synchronized during reconciliation; other SAN types (such as IP addresses, email addresses, or URIs) are not included in reconciliation matching or updates.

Preserved settings

During reconciliation, the following settings are preserved from the existing certificate object:

  • Permissions
  • Policy values (except SANs, which are updated if the discovered certificate is newer)
  • Other renewal values

The Updated counter

Network Discovery jobs that reconcile certificates show an Updated counter in the Certificate Placement Summary. This counter shows how many certificates had updated settings.

A certificate is updated when:

  • The discovered certificate was newer than the existing certificate
  • The discovered certificate had different SAN DNS entries
  • Certificate Manager - Self-Hosted automatically updated the SAN renewal settings to match

Bypassing reconciliation

You may want to bypass reconciliation in these scenarios:

  • You're using DigiCert Duplicate Certificates, where each duplicate should remain in a separate certificate object
  • Your PKI architecture intentionally has multiple certificates with identical subjects and SANs serving different purposes

To bypass reconciliation for all Network Discovery jobs, enable the Bypass Certificate Reconciliation setting on the Discovery root node in the Policy Tree. For more information, see Discovery root node settings.

IMPORTANT  When you bypass certificate reconciliation, Certificate Manager - Self-Hosted creates a new certificate object for each discovered certificate, even if a matching certificate already exists. This can result in multiple certificate objects for the same certificate, and SAN settings will not be automatically updated during rediscovery.

Comparison: Automatic reconciliation vs. manual combining

Certificate reconciliation during Network Discovery and Agent Discovery is different from the manual certificate combining available in Certificate and Device Placement jobs:

Feature Automatic Reconciliation (Network/Agent Discovery) Manual Combining (Placement Jobs)
When it happens Automatically during Network Discovery and Agent Discovery jobs Only when you enable the Combine older and newer versions option in a Certificate and Device Placement job
SAN updates Automatically updates SAN DNS renewal settings if the discovered certificate is newer Preserves the renewal values of the existing certificate; does not update SANs
Control Can be bypassed globally by enabling Bypass Certificate Reconciliation on the Discovery root node Opt-in per placement job; disabled by default
Use case Keeps certificate inventory up-to-date as certificates are discovered and ensures renewals include current SANs Cleans up existing certificate inventory by combining duplicates according to placement rules

Related Topics Link IconRelated Topics