Discovery root node settings

The Discovery root node in the Policy Tree contains settings that control how Network Discovery handles discovered certificates across your system.

IMPORTANT You must have View and Write permissions to the Discovery object to configure these settings.

To configure Discovery root node settings

Click Policy Tree in the navigation.
Select Discovery in the Policy Tree drop-down menu.
Click the root Discovery node in the tree.
In the Settings tab, configure the settings as needed, and then click Save.

The following table describes the Discovery root node settings.

Setting	Description
Network Discovery Settings
Bypass Certificate Reconciliation	When enabled, this setting bypasses certificate reconciliation for Network Discovery jobs. Default: Disabled (unchecked) Effect when enabled: Trust Protection Foundation creates a new certificate object for each discovered certificate, even if a matching certificate already exists. Certificates are not automatically combined, and Subject Alternative Name (SAN) settings are not updated during rediscovery. Effect when disabled: Trust Protection Foundation automatically reconciles newly discovered certificates with existing certificate objects that match based on subject, key usage, enhanced key usages, and SAN similarity. If the discovered certificate is newer and has different SANs, the SAN DNS renewal settings are automatically updated to match. When to enable: Enable this setting in the following scenarios: You're using DigiCert Duplicate Certificates and want each duplicate to remain in a separate certificate object Your PKI architecture intentionally has multiple certificates with identical subjects and SANs, such as different certificates for load balancers and application servers You want complete control over certificate placement and don't want automatic reconciliation to combine certificates For more information about how certificate reconciliation works, see About certificate reconciliation during discovery.

Setting

Description

Network Discovery Settings

Bypass Certificate Reconciliation

When enabled, this setting bypasses certificate reconciliation for Network Discovery jobs.

Default: Disabled (unchecked)

Effect when enabled: Trust Protection Foundation creates a new certificate object for each discovered certificate, even if a matching certificate already exists. Certificates are not automatically combined, and Subject Alternative Name (SAN) settings are not updated during rediscovery.

Effect when disabled: Trust Protection Foundation automatically reconciles newly discovered certificates with existing certificate objects that match based on subject, key usage, enhanced key usages, and SAN similarity. If the discovered certificate is newer and has different SANs, the SAN DNS renewal settings are automatically updated to match.

When to enable: Enable this setting in the following scenarios:

You're using DigiCert Duplicate Certificates and want each duplicate to remain in a separate certificate object
Your PKI architecture intentionally has multiple certificates with identical subjects and SANs, such as different certificates for load balancers and application servers
You want complete control over certificate placement and don't want automatic reconciliation to combine certificates

For more information about how certificate reconciliation works, see About certificate reconciliation during discovery.