Exclude self-signed certificates in SSL_Certificate

Ok, that makes it a bit more difficult because of how discovery runs in that DS. Discovery simply checks if certain ports are open. It isn't until collection that the actual cert is downloaded and inspected. Discovery itself doesn't pull any actual properties of the certificate itself (like whether or not it's self signed). It's a pity really and I think the discovery on this DS is lacking actual discovery.

In order to use an Active Discovery filter, the discovery script would have to discover whether or not each cert is self-signed and store that as a property. So what you'll have to do is add logic from the collection script into the discovery script so that the self-signed status gets stored as a property on the instance and can then be used to filter out those certs from discovery.

The logic in the collection script is a bit complex (some developer really flexed his OOP skills). Take a look at it and see what you can do. It's beyond my skills to extract the required logic with the limited time I have (would probably take me a few days to iron it out). If you really want to automate this (a worthy goal IMO), I suggest reaching out to your CSM to talk about professional services or see if someone on the community may have already cracked this nut.

All that said, if this is a small thing, then it would probably work to just create instance groups and sort them out manually. If it's more than a few server's certs, then automation is the only way to go. There may be a simpler way that's not occurring to me at the moment.