Discovery Agent
Enterprise Cryptographic Asset Discovery & PQC Readiness Assessment
Comprehensive Cryptographic Infrastructure Discovery
A cross-platform Rust-based scanning tool that discovers certificates, keys, and keystores across your entire infrastructure. Automatically assess quantum-resistance and generate compliance reports for post-quantum cryptography migration.
Quick Start
# Run discovery scan with API submission
./discovery-agent --api-url https://api.pqcrypta.com --api-key YOUR_API_KEY
# Save results to file instead of API
./discovery-agent --output scan-results.json
# Deep scan with keystore detection
./discovery-agent --deep-scan --scan-keystores true --api-key YOUR_API_KEY
# Scan specific directories
./discovery-agent --targets /etc/ssl,/var/lib/certificates --api-key YOUR_API_KEYKey Features
Certificate Discovery
Automatically discover X.509 certificates across your infrastructure. Parse PEM and DER formats, extract subject/issuer information, SANs, key usage, and expiration dates.
Key Detection
Identify private and public keys including RSA, ECDSA, EdDSA, and post-quantum algorithms. Detect key sizes, curves, and encryption status.
Keystore Analysis
Support for JKS, JCEKS, PKCS#12, BKS, Oracle Wallet, Windows PFX, NSS Database, and Android KeyStore formats.
PQC Readiness
Assess quantum-resistance of discovered assets. Identify legacy algorithms and generate migration recommendations for post-quantum cryptography.
Multi-Platform
Full support for Linux, Windows, macOS, BSD variants, and Unix systems. Platform-specific scan paths and certificate store integration.
Security Metadata
Collect OS security features including SELinux, AppArmor, firewall status, TPM availability, Secure Boot, and cryptographic CPU capabilities.
Platform Support
Linux
- Ubuntu, Debian, CentOS, Fedora, RHEL
- System certificates: /etc/ssl/certs/, /etc/pki/tls/
- Web servers: Apache, Nginx, HAProxy, Traefik
- Databases: PostgreSQL, MySQL, MongoDB, Oracle
- Containers: Docker, Kubernetes, Podman
- VPN/SSH: OpenSSH, OpenVPN, WireGuard
- Let's Encrypt: /etc/letsencrypt/
Windows
- Windows Server and Desktop editions
- Certificate stores: Local Machine, Current User
- AD CS: Active Directory Certificate Services
- IIS: Internet Information Services
- Exchange Server certificates
- SQL Server certificates
- ADFS and Hyper-V integration
macOS
- System Keychains integration
- User login.keychain-db
- MDM configuration profiles
- Safari, Chrome, Firefox certificates
- Xcode provisioning profiles
- Homebrew and Docker integration
- CloudKit keychain support
Comprehensive Scan Coverage
- Apache: /etc/apache2/ssl/, /etc/httpd/ssl/
- Nginx: /etc/nginx/ssl/, /etc/nginx/certificates/
- HAProxy: /etc/haproxy/certs/, /var/lib/haproxy/certs/
- Traefik: /etc/traefik/certs/, /var/lib/traefik/
- Envoy: /etc/envoy/certs/
- Lighttpd: /etc/lighttpd/certs/
- PostgreSQL: /var/lib/postgresql/*/main/, /etc/postgresql/
- MySQL/MariaDB: /var/lib/mysql/, /etc/mysql/
- MongoDB: /var/lib/mongodb/, /etc/mongodb/
- Oracle: $ORACLE_HOME/network/admin/
- Redis: /etc/redis/, /var/lib/redis/
- Cassandra: /etc/cassandra/, /var/lib/cassandra/
- Docker: /etc/docker/certs.d/, ~/.docker/
- Kubernetes: /etc/kubernetes/pki/, ~/.kube/
- Podman: /etc/containers/certs.d/
- LXD: /var/lib/lxd/
- Service Mesh: Istio, Linkerd, Consul certificates
- etcd: /etc/etcd/, /var/lib/etcd/
- OpenSSH: /etc/ssh/, ~/.ssh/
- OpenVPN: /etc/openvpn/, /var/lib/openvpn/
- WireGuard: /etc/wireguard/
- StrongSwan: /etc/ipsec.d/, /etc/strongswan/
- IPsec: /etc/ipsec/, /var/lib/ipsec/
- Heimdal/Kerberos: /etc/krb5/, /var/lib/krb5kdc/
- Postfix: /etc/postfix/ssl/, /etc/postfix/certs/
- Dovecot: /etc/dovecot/ssl/, /etc/dovecot/certs/
- Exim: /etc/exim4/ssl/, /var/lib/exim4/
- Sendmail: /etc/mail/certs/, /etc/mail/tls/
- F5 BIG-IP: /config/ssl/, /var/tmp/
- Citrix ADC: /nsconfig/ssl/
- Palo Alto: /config/shared/
- Cisco ASA: Configuration extraction
- Juniper: /var/db/certs/
- Check Point: $FWDIR/conf/
OS Metadata Collection
The Discovery Agent collects comprehensive system metadata to provide context for discovered assets and assess the security posture of scanned systems.
Command Line Options
| Option | Description | Example |
|---|---|---|
--api-url |
PQCrypta API server URL | --api-url https://api.pqcrypta.com |
--api-key |
API authentication key | --api-key YOUR_API_KEY |
--output |
Save results to JSON file | --output scan-results.json |
--targets |
Specific paths to scan | --targets /path1,/path2 |
--deep-scan |
Enable thorough scanning | --deep-scan |
--algorithms |
Filter by algorithm type | --algorithms RSA,ECDSA,ML-KEM |
--scan-keystores |
Enable keystore scanning | --scan-keystores true |
--allow-paths |
Additional paths to include | --allow-paths /opt,/var/lib |
--disallow-paths |
Paths to exclude | --disallow-paths /tmp,/cache |
--verbose |
Enable debug logging | --verbose |
--config |
Use configuration file | --config agent-config.toml |
Configuration File
[agent]
name = "discovery-agent-001"
api_url = "https://api.pqcrypta.com"
api_key = "your-api-key"
[scanning]
auto_detect = true
enable_os_stores = true
enable_web_servers = true
enable_databases = true
enable_mail_servers = true
enable_vpn_ssh = true
enable_containers = true
enable_app_servers = true
[scanning.applications]
tomcat_paths = ["/opt/tomcat"]
jboss_paths = ["/opt/jboss"]
oracle_home = "/opt/oracle"
sap_sids = ["PRD", "QAS"]
[output]
format = "json"
include_metadata = true
include_os_info = trueAPI Integration
/crypto-assets/scan/results
Submit discovered assets and scan metadata to the PQCrypta API.
{
"scan_id": "550e8400-e29b-41d4-a716-446655440000",
"agent_hostname": "server-01.example.com",
"agent_version": "1.0.0",
"agent_platform": "linux",
"os_metadata": {
"os_type": "linux",
"os_name": "Ubuntu",
"os_version": "22.04",
"kernel_version": "5.15.0-91-generic",
"architecture": "x86_64",
"security_features": {
"selinux": "disabled",
"apparmor": "enabled",
"firewall": "ufw"
}
},
"assets": [
{
"location": "/etc/ssl/certs/server.crt",
"type": "certificate",
"algorithm": "RSA",
"key_size": 2048,
"subject": "CN=server.example.com",
"issuer": "CN=Let's Encrypt Authority X3",
"not_before": "2025-01-01T00:00:00Z",
"not_after": "2026-01-01T00:00:00Z",
"sha256_fingerprint": "abc123..."
}
],
"scan_duration_ms": 45320,
"errors": []
}Compliance Assessment
The Discovery Agent automatically evaluates discovered cryptographic assets against post-quantum readiness criteria and industry compliance standards.
Compliant
Post-quantum or hybrid algorithms
- ML-KEM-1024
- ML-DSA-87
- SLH-DSA
- HQC
- Hybrid combinations
Legacy
RSA/ECC with adequate key sizes
- RSA 2048-4096 bit
- ECDSA P-256, P-384
- Ed25519
- X25519
Deprecated
Weak key sizes or algorithms
- RSA < 2048 bit
- DSA
- DH < 2048 bit
Forbidden
Cryptographically broken
- MD5 signatures
- SHA1 signatures
- RC4 encryption
- DES/3DES
Technical Stack
Use Cases
Enterprise Infrastructure Audit
Perform comprehensive scans across your entire infrastructure to create a complete inventory of cryptographic assets including certificates, keys, and keystores.
Post-Quantum Migration Planning
Identify quantum-vulnerable assets and prioritize migration efforts. Generate detailed reports on RSA/ECC usage for compliance documentation.
Compliance Assessment
Automatically assess cryptographic configurations against NIST guidelines and industry standards. Identify deprecated algorithms and weak key sizes.
Certificate Lifecycle Management
Track certificate expiration dates across your infrastructure. Identify expiring certificates before they cause service disruptions.
Container Security
Scan Docker, Kubernetes, and other container environments for embedded certificates and keys. Ensure secure configurations in orchestration platforms.
Development Environment Inventory
Audit development and staging environments for test certificates, SSH keys, and keystores. Ensure proper key management practices.
Dashboard Integration
Scan results submitted to the PQCrypta API are available in the dashboard for visualization, analysis, and reporting.
Asset Inventory
View all discovered cryptographic assets with filtering and search capabilities.
Trend Analysis
Track changes in cryptographic posture over time with historical scan comparisons.
Compliance Reports
Generate detailed compliance reports for auditors and stakeholders.
Expiration Alerts
Receive notifications for certificates approaching expiration dates.
Security Characteristics
Read-Only Operation
The agent never modifies or deletes files. Pure discovery and reconnaissance functionality safe for production systems.
Encryption Handling
Identifies encrypted keystores without decryption. Cannot access protected content without passwords (by design).
Secure Communication
HTTPS/TLS 1.3 for all API communication. Certificate pinning support and API key authentication.
Memory Safety
Written in Rust for guaranteed memory safety. No buffer overflows or use-after-free vulnerabilities.