Unlocking SSL Intelligence: Unveiling Current and Historical SSL Certificate Data for Any Domain Name
Reading time: 11 minutesIn the modern Web 3.0 era, SSL certificates have become indispensable in ensuring the security and trustworthiness of online communication between your web application and a client.
Nowadays, there are multiple factors that play a major role in your web application's success or failure, but three of them are among the most important: security, visibility, and reputation.
For instance, while the overall security of your web application relies on various aspects like the underlying code, web stack, and operating system, an SSL certificate plays a significant role in ensuring secure connections for your visitors. It prevents them from being redirected to malicious websites and protects against potential data breaches or unauthorized access.
Moreover, the visibility of your web application across the internet can be greatly affected by the presence or absence of an SSL certificate. Search engines like Google prioritize websites with SSL certificates, which can positively impact your search engine rankings and organic traffic. Obtaining an SSL certificate has been made easier with free solutions like Let's Encrypt—this allows you to improve the visibility of your web application without any added expenses.
Lastly, the reputation of your web application can be at stake if it lacks an SSL certificate or if the certificate has expired. In today's digital landscape, where SSL certificates are commonplace, visitors expect a secure browsing experience. If your web application fails to meet this expectation, visitors may be greeted with warning messages and red screens, leading to a loss of trust and potential reputational harm. Therefore, it is crucial to ensure that your SSL certificate is valid and up to date to maintain a positive reputation and user experience for your web application's visitors.
Today, we will explore how to effectively track current and historical SSL data so that you can enhance your SSL certificate intelligence.
- Why tracking current and historical SSL certificate history is critical for cyber security
- Popular SSL intelligence tools and techniques
- How to get full SSL intelligence with the SecurityTrails API™
- Summary
Why tracking current and historical SSL certificate history is critical for cyber security
As the name suggests, an SSL certificate is a certificate of authenticity that confirms to a visitor that you are indeed connecting to the correct website. Any mismatch in the SSL certificate and domain would result in the certificate being invalid and present a warning in the visitor's browser.
SSL certificates historically have had security vulnerabilities with private keys being leaked, easily making SSL certificates issued with those private keys unsafe. As the name suggests, a private key is to be held privately by the certificate issuer and, if leaked, can allow anyone to issue similar certificates, which can be disastrous.
Analyzing your SSL certificates can also be essential for finding any self-signed SSL certificates already in use within your organization. At times these SSL certificates could be very old and generated with weak encryption algorithms such as MD2, MD4, MD5, or SHA1 which can lead to certificates being cryptographically insecure. But with analysis of every single SSL certificate within your organization, it is possible to detect these old and insecure SSL certificates and replace them with modern and secure ones.
Monitoring an SSL certificate is an important aspect to consider as well, as is usually seen when a website or web application is compromised. Cybercriminals can replace an SSL certificate with one they can re-use on other phishing platforms to make them appear legitimate, allowing them to steal important data or commit financial theft.
Popular SSL intelligence tools and techniques
SSL Intelligence can be gathered using various methods and tools. Information such as SSL certificate issuers, validity, encryption strength, and more can be collected via these tools and techniques; some of the most popularly used tools include using the standard OpenSSL library, publicly accessible tools like SSL Labs, or using the SecurityTrails service which has an API available for easy integration into existing workflows and alerting automation.
Fetching SSL certificate information from a domain name with OpenSSL from the command line
Using the following command, one can find information about a website SSL certificate:
openssl s_client -showcerts -servername example.com -connect example.com:443 </dev/null
Note: Replace example.com with the domain you wish to find the SSL certificate information.
Which would then return the following output:
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org
verify return:1
---
Certificate chain
0 s:C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org
i:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
-----BEGIN CERTIFICATE-----
MIIHSjCCBjKgAwIBAgIQDB/LGEUYx+OGZ0EjbWtz8TANBgkqhkiG9w0BAQsFADBP
MQswCQ…263t3Ta2JfKViqxpP5r+GvgVKG3qGFrC0mIYr0B4tfpeCY9T+cz4I6GDMSP0xg==
-----END CERTIFICATE-----
1 s:C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
-----BEGIN CERTIFICATE-----
MIIE……..MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxKTAnBgNVBAMTIERpZ2lDZXJ0IFRMUyBSce1XR2bFuAJKZTRei9AqPCCcUZlM51Ke92sRKw2Sfh3oius2FkOH6ipjv3U/697E
A7sKPPcw7+uvTPyLNhBzPvOk
-----END CERTIFICATE-----
---
Server certificate
subject=C = US, ST = California, L = Los Angeles, O = Internet\C2\A0Corporation\C2\A0for\C2\A0Assigned\C2\A0Names\C2\A0and\C2\A0Numbers, CN = www.example.org
issuer=C = US, O = DigiCert Inc, CN = DigiCert TLS RSA SHA256 2020 CA1
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3775 bytes and written 731 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
From the above commands, the output reveals a lot of details about the current SSL certificate associated with the domain name, including information about the validity of the SSL certificate, the issuer, and the certificate chain. However, a key disadvantage one must be aware of is that this command lists only the current certificate's information, and not anything historical. While this might be fine for checking SSL certificate validity and current issuer information, tracking historical changes is not possible without logging the certificate's information locally and then comparing.
Online SSL certificate lookup services
If the command line isn’t your cup of tea, and you wish to use something that's perhaps easier, parsed and more accessible to you, a publicly available and free-to-use SSL certificate test is offered by SSL Labs.
This can be a great solution if you have one domain and/or a few subdomains to test, but testing large domains can be significantly more time-consuming.
During our test, for example, each IP address associated with the domain took around ~110 seconds to test, thus taking around ~7 minutes to test each domain you may have with multiple IP addresses associated with it.
Looking beyond the amount of time taken, SSL Labs does have an available API which is essential for integrating the checking of SSL certificates into your existing automation and workflows. Still, a key disadvantage (like in the previous OpenSSL command example) remains: there is no historical information available in most cases to track or trace any changes in SSL certificate information, leading to very limited SSL certificate intelligence.
SSL intelligence analysis with an API service
Looking within any organization, most critical services such as webmail, team chat, HR portal, and such run on a separate subdomain, alongside automated subdomains that get created with the help of CI/CD tools.
Having a valid SSL certificate on each of these subdomains is necessary to ensure that various compliance requirements are met, and that your employees can connect securely to the correct web service.
Using an API such as the SecurityTrails API™ can help automate the process of checking every subdomain's SSL certificate, so that whether you’re working with one subdomain or a thousand, checking and being alerted of an expired SSL certificate can be integrated into your existing workflow.
For example: one can build a bash script to read a text file and parse each domain's SSL status via the API, then be alerted only to those domains that do not have a valid SSL certificate.
Let’s deep dive into this in the next section.
How to get full SSL intelligence with the SecurityTrails API™
Using the SecurityTrails API™ is a straightforward method of getting the exact SSL certificate information that you require for your organization's domains and subdomains:
Let’s take a look at the example query:
curl --request GET \
--url 'https://api.securitytrails.com/v1/domain/YOUR-DOMAIN-HERE/ssl?include_subdomains=false&status=valid' \
--header 'APIKEY: YOUR-API-KEY-HERE'
Note: As always, replace YOUR-DOMAIN-HERE with your organization's domain name and YOUR-API-KEY-HERE with your SecurityTrails API™ Key.
{
"endpoint": "/v1/domain/securitytrails.com/ssl",
"meta": {
"max_page": 1,
"page": 1,
"query": {
"domain": "securitytrails.com",
"include_subdomains": "false",
"status": "valid"
},
"total_pages": 1
},
"record_count": 4,
"records": [
{
"dns_names": [
"*.securitytrails.com",
"securitytrails.com"
],
"fingerprints": {
"md5": "6c3452ca6cf62b2fa4664e5dd80c595a",
"sha1": "461b73d5fad255353fca6db24e494a4c4d4a01bf",
"sha256": "c1d24e5ce21eee936d844e1dabb9541231e12541802480c314fea2ac965ca3b5"
},
"id": "tis2f1lbnowrzswbnawibtxmnjvnjmoo3weikbg4g04=",
"issuer": {
"common_name": "GTS CA 1P5",
"country": [
"US"
],
"organization": [
"Google Trust Services LLC"
]
},
"not_after": 1687492172,
"not_before": 1679716173,
"precert": true,
"public_key": {
"bit_length": 0,
"key": "MIIBIjANBgkqhkiG9wgvS0nDnRD/zTaki8aafVG6fCXbb2zD55uI9FT3NnPgQuRP1XQ/OPO4viSAF6FvRoqRrkEgRa/080WyzY5zFGYeA4TqYnSKDiCz+Adeq+l8bGCHaIpEodtE0OTzLqNWtsISTZ7CEwIDAQAB",
"key_type": "RSA"
},
"raw": null,
"serial_number": "294554699502723252462826246357124765042",
"subject": {
"common_name": "*.securitytrails.com"
},
"subject_key_id": "UMdbMackbbZTq7GmLth3N2/lex4=",
"x509": true
},
{
"dns_names": [
"securitytrails.com",
"*.securitytrails.com"
],
"fingerprints": {
"md5": "f52a4fe1b54ef1375a19f0b21b1a7af3",
"sha1": "af76fcc3e1dc0948bd6ac50e73eef573d301e37d",
"sha256": "aa8239f84895937e56d106d91fdde0561b4a8f5bda39dc18442821b98cacdb44"
}
"id": "k+shtumpgkavvgblfumoglu7j+kvda0/mjstj8drm9s=",
"issuer": {
"common_name": "Amazon",
"country": [
"US"
],
"organization": [
"Amazon"
],
"organizational_unit": [
"Server CA 1B"
]
},
"not_after": 1703203199,
"not_before": 1682294400,
"precert": true,
"public_key": {
"bit_length": 0,
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAv1WPVy0qJCrSUBY1ESl9peh50vEYqXpe6G7UdDIl8LZRyVyMvko/QG4XuYIBLLliPJb8+bYoAm4MNn6g5LOqlerqkMS6dfABJovzjBTb5oIoZE0ubFuxjJfsVTY+ld0/WoQ5rY7ia69/sSl+yy5pOLWxnGnKS5FMYrMo8o2HRvIFeMG08V8RBSQIDAQAB",
"key_type": "RSA"
},
"raw": null,
"serial_number": "7916317680006377560770619467839897132",
"subject": {
"common_name": "securitytrails.com"
},
"subject_key_id": "Oz2AS96HjcRwbutU4eTR8sc1skA=",
"x509": false
}
]
}
From the above output, we see detailed information about the SSL certificates associated with the domain securitytrails.com. This includes information such as SSL certificate validity timestamps, common name, certificate issuer, public key, and other essential information which can aid your organization's SSL intelligence.
Another key feature of this API query is customizability. In the query run above, we only query the status of the primary domain name and only the valid SSL certificates associated with it, but we also can query the SSL certificate status for the subdomains of the domain, along with invalid or all types of SSL certificates (valid and invalid) associated with the subdomains and domains.
For example, if we wish to list all the SSL certificates associated with the subdomains as well, we change include_subdomains=false to include_subdomains=true in the API query, which then returns the following output of every subdomain’s SSL certificates:
{
"endpoint": "/v1/domain/securitytrails.com/ssl",
"meta": {
"max_page": 1,
"page": 1,
"query": {
"domain": "securitytrails.com",
"include_subdomains": "true",
"status": "valid"
},
"total_pages": 1
},
"record_count": 21,
"records": [
{
"dns_names": [
"auth.asr.securitytrails.com"
],
"fingerprints": {
"md5": "",
"sha1": "",
"sha256": ""
},
"id": "5r99sjsbqxnsz9gj97a/hxnkpao2tbwbuq8wiahfcc0=",
"issuer": {
"common_name": "R3",
"country": [
"US"
],
"organization": [
"Let's Encrypt"
]
},
"not_after": 1687023879,
"not_before": 1679247880,
"precert": true,
"public_key": {
"bit_length": 0,
"key": "MIIBIjANBgkqh3Ry7urLVUT/M+nIb2Ye0ukG4YdzYn9DOtMaXK/e2VwSr0pfyQQB1B0eoUnh7ubrCU0krzFuuSo5PXwk0Jza4mNgUSBkqfskFSKGtDFEr2w3WKaC6q6XsdVKmir9WY7eAvXuVJu6mZA7QqCYrA7dsv2QVHW85+A5F/R3IKgRpNyY62iEnOdfnzHwIDAQAB",
"key_type": "RSA"
},
"raw": null,
"serial_number": "406166407140112050745823839602666133735769",
"subject": {
"common_name": "auth.asr.securitytrails.com"
},
"subject_key_id": "+CxMfTLW8nSvlpuG/SyqjHjeefU=",
"x509": false
},
{
"dns_names": [
"changelog.securitytrails.com"
],
"fingerprints": {
"md5": "",
"sha1": "",
"sha256": ""
},
"id": "emzgqnavigv+if7pam8dddbl2fu0xbiozb5f+yeskvm=",
"issuer": {
"common_name": "GTS CA 1P5",
"country": [
"US"
],
"organization": [
"Google Trust Services LLC"
]
},
"not_after": 1687492172,
"not_before": 1679716173,
"precert": true,
"public_key": {
"bit_length": 0,
"key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02YTKNheuUUJEFIUHm1PCDIXkdCD2KYuP7aZJjvU4t+PgvT3NnPgQuRP1XQ/OPO4viSAF6FvRoqRrkEgRa/080WyzY5zFGYeA4TqYnSKDiCz+Adeq+l8bGCHaIpEodtE0OTzLqNWtsISTZ7CEwIDAQAB",
"key_type": "RSA"
},
"raw": null,
"serial_number": "294554699502723252462826246357124765042",
"subject": {
"common_name": "*.securitytrails.com"
},
"subject_key_id": "UMdbMackbbZTq7GmLth3N2/lex4=",
"x509": true
}
]
}
In the above output, one can immediately notice the distinct advantage of obtaining historical SSL certificate information. While other services such as the OpenSSL command or SSL Labs API provide current SSL certificate information, their lack of historical information leads to a very big risk in monitoring the security of your organization's SSL certificates.
With the combination of historical and current information, one can easily compare and review any certificate changes and ensure that every certificate issued within your organization is accounted for and valid. Any discrepancies (e.g., expiration) or unauthorized changes to SSL certificates can be found immediately, then acted upon by integrating the API into your existing workflows.
Summary
SSL certificates are a critical part of any organization, as they allow visitors to establish secure connections between web servers and clients, ensuring that data transmitted over the internet remains encrypted. With SSL intelligence, organizations' security teams can gather essential information about the SSL certificates deployed within an organization, enabling them to assess their validity and ensure the absence of any unauthorized changes in the SSL certificate.
Using the SecurityTrails API™ to fetch detailed data related to SSL certificates deployed within your organization, including expiration dates, certificate authorities (CAs), and other relevant metadata, is a seamless operation, and easy to integrate within your existing workflows. This allows you to build automated alerts when things such as SSL certificate expiry or unauthorized changes occur.
Take your organization’s SSL intelligence to the next level—sign up for your SecurityTrails API™ account today!
