SSL Certificate Recon

SSL Icon
An SSL certificate is a digital certificate that authenticates the identity of a web application. It enables an encrypted connection between the web server and the browser and, most importantly for pentesters, it specifies the domain or subdomain that the certificate is issued for.

SSL Certificate Reconnaissance

SSL Certificate Enumeration

SSL Certificate Enumeration involves passively discovering SSL/TLS certificates for a target domain. SSL certificates can discover additional domains associated with a target organization. There are many available tools to enumerate SSL certificates for a target domain. I have listed several online search tools here: Searching Tools & Links

The following are tools and techniques to enumerate SSL certificates for target domains.

curl -s "https://crt.sh/?q=tesla.com&output=json" | jq . | grep common_name        #Retreives the host name (CN, FQDN) of all SSL certificates issued to the target domain
censys search tesla.com --api-id 'xxxx' --api-secret 'xxxxx'                       #Retrieves SSL certificate issued for a domain
shodan search ssl.cert.subject.cn:tesla.com                                        #Search the Shodan database for SSL certificates issued for a domain
curl -s "https://www.virustotal.com/api/v3/domains/tesla.com" -H "x-apikey: xxxx"  #VirusTotal search for SSL certificates issued for a domain
curl -s "https://api.securitytrails.com/v1/domain/tesla.com?apikey=xxxx"           #SecurityTrails search for SSL certificates issued for a domain

SSL Certificate Monitoring

In this phase of SSL certificate reconnaissance, you continuously monitor a target domain to observe if any SSL/TLS certificates are issued for a target organization’s domains. Performing this over a longer period is excellent for long engagements or as part of an ASM (Attack Surface Management) service.

As pentesters, our main objective for SSL certificate monitoring is to discover new subdomains and associated certificates that may have been recently registered. New SSL certificates can expand the target domain’s attack surface.

certspotter -watchlist domains.txt -stdout   #Monitor a list of domains and output to stdout