TLS & Certificate Posture
Infracast actively probes your public-facing endpoints to assess real TLS and certificate posture — surfacing expiring certificates, weak protocols, and misconfigured chains before they become outages or audit findings. No agent required.
Overview
Most posture tools infer TLS configuration from cloud API metadata. Infracast goes further: it performs live, outside-in TLS connections to the endpoints in your asset graph and inspects what a real client would actually negotiate. This catches drift that metadata alone misses — an expired certificate behind a load balancer, a listener still accepting TLS 1.0, or a hostname that doesn't match the served certificate.
Results are correlated back into the unified graph, so every certificate finding is tied to the exact node (load balancer, CloudFront distribution, API gateway, ingress, or any host with a public address) that serves it.
How Endpoints Are Discovered
The scanner extracts candidate endpoints from your graph automatically:
- By resource type — application/network load balancers, classic ELBs, CloudFront distributions, API Gateway stages, and Kubernetes Ingress resources
- By public host property — any node carrying a routable public address (public DNS name, public IP, endpoint, FQDN, and similar attributes)
Private and loopback addresses are skipped — only externally reachable endpoints are probed.
Ports Scanned
| Port | Purpose |
|---|---|
| 443 | Standard HTTPS |
| 8443 | Load balancer / ingress alternate HTTPS |
| 587 / 993 | STARTTLS (SMTP submission, IMAPS) |
| 5432 / 3306 | STARTTLS (PostgreSQL, MySQL) |
What Gets Checked
Each probe evaluates the negotiated session and presented certificate chain against a dedicated rule pack:
- Certificate expiry — already expired, or expiring inside the warning window
- Weak protocols — TLS 1.0 / TLS 1.1 still accepted
- Weak cipher suites — known-insecure or deprecated ciphers
- Chain trust — self-signed or untrusted issuing chains
- Hostname mismatch — served certificate doesn't cover the requested host
- Key strength — RSA keys below recommended length
- Transport hardening — missing HSTS
Compliance Mapping
TLS posture findings map directly to controls across major frameworks:
| Framework | Controls |
|---|---|
| NIST 800-53 | SC-8, SC-12, SC-13 |
| FedRAMP | SC-8(1) |
| PCI-DSS v4 | 4.2.1 |
| CMMC Level 2 | SC.L2-3.13.8 |
| ISO 27001 | A.8.24 |
In the UI
- Certificates view (Compliance Center) — a sortable inventory of every discovered certificate with issuer, expiry, key details, and posture status
- TLS Posture tab — opens in the topology node drawer for any scanned endpoint, showing the negotiated protocol, cipher, chain, and findings
- Certificate-expiry widget — surfaces soon-to-expire certificates on the dashboard so renewals never slip
Continuous Monitoring
TLS scanning runs as a scheduled monitoring pass, not just on demand. New findings flow into the standard alert routing (Slack, Teams, PagerDuty, OpsGenie, email, webhook) and escalation chains, so a certificate quietly ticking toward expiry triggers a notification well before it lapses.