SSL Profile¶

The SSL Profile panel provides SSL/TLS certificate details for a domain, including validity dates, issuer, subject, and alternative names. Use certificate attributes as pivots to discover related infrastructure.

What's included¶

The SSL Profile displays:

Certificate validity: Not Before and Not After dates
Issuer: Certificate Authority that issued the certificate
Subject: Entity the certificate was issued to
Subject Alternative Names (SANs): Additional domains covered by the certificate
Certificate hash: SHA-1 fingerprint
Public key: Key algorithm and size
Signature algorithm: Algorithm used to sign the certificate
Extensions: Additional certificate attributes

Multiple certificates¶

When DomainTools finds more than one certificate on a domain, Iris Investigate shows the certificates in separate tabs. Navigate between tabs to view different certificates.

Pivot on certificate attributes¶

The SSL Profile provides multiple pivot opportunities:

Subject Alternative Names¶

The Extensions → Subject Alt Name section lists all domains covered by the certificate:

Right-click a domain in the Subject Alt Names list.
The Operations Menu appears.
Select a pivot operation.

To examine all domains covered by a certificate:

Locate the ADD TO FILTERS button in the Subject Alt Names section.
Select ADD TO FILTERS.
All domains from the certificate populate your search filters.

Certificate hash¶

Pivot on the certificate hash to find other domains using the same certificate:

Right-click the certificate hash.
Select a pivot operation from the Operations Menu.
Discover domains sharing the certificate.

Other attributes¶

Pivot on additional certificate attributes:

Issuer: Find certificates from the same CA
Subject Organization: Discover related entities
Certificate email: Search by contact email

SSL certificate collection¶

DomainTools employs three methods to gather certificate data:

Certificate Transparency Logs: Constantly monitored for newly published certificates
Web Crawler: Collects certificates when gathering web-related data
Active certificate crawls: Weekly attempts to gather certificates for identified domains

For complete details on collection and validation, see SSL Certificate Collection.

Update content¶

The SSL Profile includes an Update Content button to manually trigger certificate collection:

Navigate to the SSL Profile.
Select Update Content.
The system queues the domain for certificate collection.

Use cases¶

Discover shared infrastructure¶

Find domains using the same certificate:

Shared hosting environments
Related domains under common ownership
Infrastructure patterns

Track certificate changes¶

Monitor certificate lifecycle:

Certificate renewals
CA changes
Subject or SAN modifications

Identify suspicious patterns¶

Look for indicators of malicious activity:

Self-signed certificates
Unusual issuers
Mismatched subject information
Suspicious SANs

Best practices¶

Certificate analysis¶

Check validity dates: Expired or future-dated certificates may indicate issues.
Verify issuer: Legitimate CAs vs. self-signed or unusual issuers.
Review SANs: Look for unexpected domains in the certificate.
Compare with domain: Ensure certificate matches the domain.

Investigation workflow¶

Review Domain Profile: Get overview.
Open SSL Profile: Examine certificate details.
Check SANs: Identify related domains.
Pivot on hash: Find domains sharing the certificate.
Document findings: Note suspicious patterns.

What to look for¶

Legitimate patterns:

Valid certificates from recognized CAs
Appropriate subject information
Expected SANs
Regular renewal patterns

Suspicious patterns:

Self-signed certificates
Expired or invalid certificates
Mismatched subject information
Unusual SANs
Shared certificates across unrelated domains

Limitations¶

Certificate collection depends on domain accessibility
Some certificates may not be collected if domains are unreachable
Historical certificate data availability varies