Skip to content

SSL certificate collection

DomainTools employs multiple methods to gather and validate SSL/TLS certificate data for domains. Understanding these collection processes helps interpret certificate information in Iris Investigate.

Collection methods

DomainTools uses three separate methods to gather certificate data:

1. Certificate Transparency Logs

DomainTools constantly monitors industry-known certificate transparency logs to find newly published certificates.

Characteristics:

  • Real-time collection of new certificates.
  • Collected in parallel with other sources.
  • Won't replace certificates gathered through other methods.
  • Provides early detection of new certificates.

2. Web Crawler

When gathering web-related data on a domain, the web crawler also attempts to collect certificates.

Characteristics:

  • Collects from both apex domain and www subdomain.
  • Can replace certificates from active collection if more recent.
  • Part of regular web content updates.
  • Triggered manually via Update Content button.

3. Active certificate crawls

DomainTools attempts to gather certificates for identified domains on a weekly basis.

Characteristics:

  • Weekly collection schedule.
  • Targets known domains.
  • Found certificates replace web crawler certificates if more recent.
  • Systematic coverage of domain inventory.

Certificate validation

Hostname verification

For certificates gathered through weekly crawls:

  • The system checks that the requested hostname appears in either:
  • Certificate's Common Name field.
  • Subject Alt Names fields.
  • If the hostname isn't present, the certificate is not collected.

Issuer validation

The system gathers certificates regardless of issuer trustworthiness:

  • Certificates from recognized Certificate Authorities.
  • Self-signed certificates.
  • Certificates from unusual issuers.

This broad collection enables analysis of the widest set of certificates, including those that may indicate suspicious activity.

Validity dates

The system collects certificates regardless of validity status:

  • Valid certificates (within validity period).
  • Expired certificates.
  • Future-dated certificates (not yet valid).

This allows analysis of certificate lifecycle and potential misconfigurations.

What the system doesn't validate

Certificate revocation

  • No support for certificate revocation checking in current processing.
  • Revoked certificates may still appear in results.
  • Check certificate status independently if revocation is a concern.

SSL/TLS configuration

  • Server SSL/TLS configuration quality is not checked.
  • A server may have a valid certificate but weak SSL/TLS configuration.
  • Certificate presence doesn't guarantee secure configuration.

Example: Self-signed certificates

Consider self-signed certificates from the SSL Organization "Internet Widgits Pty Ltd":

  • These certificates are self-signed and the public can't trust them.
  • Iris Investigate still collects and returns them.
  • They may be useful indicators despite non-public-trust status.
  • Self-signed certificates can indicate:
  • Development/testing environments.
  • Internal infrastructure.
  • Potentially suspicious activity.

Collection triggers

Automatic triggers

  • First discovery of a domain.
  • Weekly active crawls.
  • Web crawler operations (for high-risk domains or monitored domains).

Manual triggers

Users can manually trigger certificate collection:

  1. Navigate to SSL Profile or Domain Profile.
  2. Select Update Content.
  3. The system queues the domain for certificate collection.

For more details, see SSL Profile - Update Content.

Collection limitations

Accessibility

  • The system can only collect certificates if domains are accessible.
  • Firewall rules or network restrictions may prevent collection.
  • Offline domains won't have current certificates.

Coverage

  • Historical certificate data availability varies.
  • Collection intervals may miss some certificates.
  • Certificate Transparency Logs provide best coverage for new certificates.

Timing

  • Weekly crawls may not capture short-lived certificates.
  • Manual updates provide on-demand collection.
  • Certificate Transparency Logs offer near-real-time detection.

Best practices

Interpret certificate data

  1. Check collection date: Note when the system collected the certificate.
  2. Verify validity: Confirm certificate is within validity period.
  3. Review issuer: Assess issuer trustworthiness.
  4. Examine SANs: Look for unexpected domains in Subject Alt Names.
  5. Consider context: Self-signed certificates may be legitimate in some contexts.

Investigation workflow

  1. Review SSL Profile: Examine certificate details.
  2. Check validity dates: Identify expired or future-dated certificates.
  3. Verify issuer: Distinguish legitimate CAs from self-signed.
  4. Analyze SANs: Discover related domains.
  5. Update if needed: Trigger manual collection for current data.

See also