Certificate Hub has three sets of capabilities:

  • The find capabilities inventory certificates across your organization (through network discovery) and automated certificate import (from CA databases and cloud services).
  • The control capabilities centrally manage policy, issuance & access to public and private certificates regardless of vendor. Perform manual operations as necessary to issue, renew, and revoke certificates.
  • The automation capabilities push keys and certificates to endpoints, with fully managed rotation and certificate profile management.
  • The report capabilities provide organizational, issue notifications, and reports to remind certificate owners of actions they need to take.

Administrators can customize Certificate Hub to meet enterprise needs like access permissions, system metadata, notifications, or report branding.

The high-level architecture integrates the following main components.


Discovery Scanners

Certificate Hub Discovery Scanners:

  • Search your enterprise's networks or portions of networks for the most recent information about deployed certificates.
  • Record each certificate's location, type, algorithms, and expiry, regardless of the certificate issuer.

Discovery Scanners are typically deployed on your premises, inside corporate firewalls, to access the internal private servers. However, only Discovery Scanners require this kind of deployment; you can deploy the other Certificate Hub components in a less restrictive environment.

When started, a Discovery Scanner:

  1. Contacts Certificate Hub to get the policy and scan configuration.
  2. Launches the Certificate Hub scheduling process for scanning.
  3. Executes one or more configured scans according to the calendar schedule and priority.
  4.  Periodically polls Certificate Hub for any policy and or configuration updates.

Discovery Scanners run a custom-built version of Nmap to scan ports, capture the returned SSL certificate chain, and transmit scan results to Certificate Hub for processing.

Entrust CA Gateway

Through Entrust CA Gateway, Entrust solutions obtain a direct feed of issued certificates from each supported Certificate Authority (CA). See the following table for the CA Gateway deployment required by each type of CA.

CA type

CA Gateway deployment

Certificate Authority running on PKI Hub

Create a Certificate Authority instance, as explained in Starting up Certificate Authorities, and select the built-in CA Gateway service of this CA.

External Certificate Authority 

Start up the Entrust CA Gateway solution and connect it with the external CA as explained Starting up CA Gateway.

Certificate Hub

Certificate Hub is a container-based set of services amenable to either customer premises or commercial cloud hosting. Certificate Hub provides:

  • An API interface to the companion Certificate Hub browser UI.
  • The underlying certificate database.
  • The necessary background processes.