Filesystem Scanning Guide - Certificate Scanner Documentation

                # Enable filesystem certificate scanning
./certscanner -mode local -scanfilesystem -output certificates.json

# Use with full scan (includes memory, keystores, etc.)
./certscanner -mode local -fullscan -output full-scan.json
            

Supported File Formats

Format	Extensions	Description
PEM	.pem, .crt, .cert, .cer	Base64-encoded certificates and keys
DER	.der	Binary-encoded certificates
PKCS#12	.p12, .pfx	Password-protected certificate bundles
CSR	.csr	Certificate signing requests
Private Keys	.key, .pem	RSA, ECDSA, Ed25519, Ed448, DSA keys

Post-Quantum Cryptography Detection: The scanner automatically detects ML-DSA (Dilithium), ML-KEM (Kyber), SLH-DSA (SPHINCS+), and other PQC algorithms in certificates and private keys.

Keystore Detection

Keystore scanning automatically discovers OS-native keystores and file-based keystores (Java JKS, PKCS#12).

OS-Native Keystores

🪟 Windows

• Current User Certificate Store
• Local Machine Certificate Store
• All certificate contexts (MY, ROOT, CA, etc.)

🍎 macOS

• Login Keychain
• System Keychain
• User-specific keychains

🐧 Linux

• System CA bundle
• User certificate directories
• NSS databases (Firefox, Chrome)

File-Based Keystores

Type	Extensions	Common Uses
Java JKS	.jks, .keystore	Java applications, Tomcat, WebLogic
PKCS#12	.p12, .pfx	Cross-platform keystores, IIS, browsers
BKS	.bks	Android applications, BouncyCastle

Automatic Discovery: Keystore detection is automatically enabled with -scanfilesystem flag. No additional configuration required.

Outlook Archive Scanning

Detect encrypted Outlook archive files that may contain S/MIME certificates and encrypted emails.

Enable Outlook Scanning

                # Scan for Outlook archives
./certscanner -mode local -scanoutlookarchives -output outlook-archives.json

# Combined with filesystem scan
./certscanner -mode local -scanfilesystem -scanoutlookarchives -output combined-scan.json
            

Detected File Types

Extension	Type	Description
.pst	Personal Storage Table	Outlook data file containing emails, contacts, calendar
.ost	Offline Storage Table	Cached Exchange mailbox data
.pab	Personal Address Book	Outlook address book (legacy)

Encryption Detection Only: The scanner identifies encrypted Outlook files but does not decrypt or extract contents. This helps identify potential repositories of S/MIME certificates and encrypted communications.

Default Search Paths

When -filesystem-paths is not specified, the scanner uses OS-specific default paths optimized for certificate discovery.

🪟 Windows Default Paths

User Directories

• C:\Users (all user profiles)

System Directories

• C:\Program Files
• C:\Program Files (x86)
• C:\ProgramData\Microsoft\Crypto
• C:\Windows\System32\certsrv
• C:\Windows\System32\CertLog

Application-Specific (if exist)

• C:\inetpub\certs (IIS)
• C:\Apache\conf\ssl, C:\Apache24\conf\ssl
• C:\nginx\conf\ssl
• C:\OpenSSL\certs, C:\OpenSSL-Win64\certs

🍎 macOS Default Paths

User Directories

• /Users (all user home directories)

System Directories

• /System/Library/Keychains
• /Library/Keychains
• /private/etc/certificates
• /etc/ssl/certs
• /usr/local/etc/openssl
• /opt/homebrew/etc/openssl (Apple Silicon)

🐧 Linux Default Paths

User Directories

• /home (all user home directories)
• /root (root user home)

System Certificate Directories

• /etc/ssl/certs
• /etc/pki/tls/certs
• /etc/pki/ca-trust
• /usr/share/ca-certificates
• /usr/local/share/ca-certificates
• /etc/letsencrypt/live
• /etc/letsencrypt/archive

Web Server Locations (if exist)

• /etc/apache2/ssl
• /etc/nginx/ssl
• /etc/httpd/ssl
• /var/lib/docker/volumes
• /opt/docker/certs

Custom Search Paths

Override default paths with custom directories for targeted scanning. Use the -filesystem-paths flag with comma-separated paths.

Syntax

                ./certscanner -mode local -scanfilesystem \
  -filesystem-paths "/path1,/path2,/path3" \
  -output custom-scan.json
            

Examples

Windows - Scan Specific Application

                    certscanner-windows-amd64.exe -mode local -scanfilesystem `
  -filesystem-paths "C:\inetpub,C:\Apache24" `
  -output iis-apache-scan.json
                

Linux - Scan Web Server Only

                    ./certscanner-linux-x64 -mode local -scanfilesystem \
  -filesystem-paths "/etc/nginx,/etc/apache2,/etc/letsencrypt" \
  -output webserver-certs.json
                

macOS - Scan User-Specific Directory

                    ./certscanner-darwin-amd64 -mode local -scanfilesystem \
  -filesystem-paths "/Users/johndoe/certs,/Users/johndoe/Documents" \
  -output user-certs.json
                

Docker/Container Scanning

                    ./certscanner-linux-x64 -mode local -scanfilesystem \
  -filesystem-paths "/var/lib/docker,/opt/kubernetes/pki" \
  -output container-certs.json
                

Tip: When specifying custom paths, the scanner ONLY scans those directories. Default paths are not included. To combine custom and default paths, list all directories explicitly.

Performance Considerations

✓ Optimization Features

• Multi-threaded filesystem traversal
• Intelligent directory skipping (node_modules, .git, etc.)
• CPU throttling support (-cputhrottle)
• Concurrent file parsing

⚡ Performance Tips

• Use targeted paths for faster scanning
• Combine with -cputhrottle high for low-impact
• Run during maintenance windows for full scans
• Use -quickscan for initial discovery

Skipped Directories

The scanner automatically skips these directories to improve performance:

node_modules, .git, .svn, .hg, __pycache__, .cache, .tmp, temp, Trash

Output & Reporting

Filesystem scan results are included in the main JSON output under dedicated sections:

                {
  "filesystem_scan_results": [
    {
      "source_file_path": "/etc/ssl/certs/server.crt",
      "version": 3,
      "serial_number": "1234567890",
      "signature_algorithm": "MLDSA65",
      "subject": {
        "common_name": "example.com",
        "organization": ["Example Corp"]
      },
      "validity": {
        "not_before": "2025-01-01T00:00:00Z",
        "not_after": "2026-01-01T00:00:00Z"
      },
      "subject_public_key_info": {
        "algorithm": "ML-DSA-65",
        "bit_size": 4096
      },
      "pqc_vulnerable": false,
      "quantum_risk": "low",
      "file_details": {
        "path": "/etc/ssl/certs/server.crt",
        "size": 2048,
        "owner": "root",
        "group": "root"
      }
    }
  ],
  "keystore_results": [...],
  "outlook_archive_results": [...]
}
            

Use different output formats for various use cases: JSON for processing, HTML for reporting, CBOM for compliance, FlatNDJSON for SIEM integration.

Quick Navigation

Overview

🔐 Certificates

🔑 Keystores

📧 Outlook Archives

Certificate Scanning

Enable Filesystem Scanning

Supported File Formats

Keystore Detection

OS-Native Keystores

🪟 Windows

🍎 macOS

🐧 Linux

File-Based Keystores

Outlook Archive Scanning

Enable Outlook Scanning

Detected File Types

Default Search Paths

🪟 Windows Default Paths

User Directories

System Directories

Application-Specific (if exist)

🍎 macOS Default Paths

User Directories

System Directories

🐧 Linux Default Paths

User Directories

System Certificate Directories

Web Server Locations (if exist)

Custom Search Paths

Syntax

Examples

Windows - Scan Specific Application

Linux - Scan Web Server Only

macOS - Scan User-Specific Directory

Docker/Container Scanning

Performance Considerations

✓ Optimization Features

⚡ Performance Tips

Skipped Directories

Output & Reporting

Related Documentation