Introduction to Certificates
The Censys certificates data set is the most exhaustive collection of X.509 documents in existence (~10B and growing daily).
Certificates are an important part of Internet traffic encryption because they can verify the identities of the services that are communicating to each other. Censys collects certificates in a repository for searching and viewing.
Each Censys cert record contains:
-
Data parsed from the certificate using ZCrypto: an open-source, Go-based, cryptographic library
-
Trust information from major root stores such as Apple, Google Chrome, Microsoft, and Mozilla NSS
-
Submission information from Certificate Transparency (CT) logs
Learn more about certificate transparency and its effect on the Censys Certificates repository
-
Lint results describing non-conformance to the X.509 standard using the ZLint library
-
Data about Censys collection and observation during scan
Certificate Collection at Censys
Certificates are collected via two methods:
-
Syncing with a number of CT logs
-
Observing a certificate presented as part of a TLS handshake during a Censys scan of the public Internet (over any protocol)
Parsed Certificate Data
The contents of a certificate are immutable and cannot be changed once the certificate is generated.
Censys parses the contents of each certificate and provides them as searchable fields in an object called parsed
.
Parsed Fields from a Certificate (Not an exhaustive list. See all fields here)
-
Issuer DN - Information about the certificate authority that issued the certificate.
-
Subject DN - Information about the entity that was issued the certificate.
-
Extensions - Additional fields that extend the X.509 spec.
-
Validity Period - The dates from which and to which the certificate can be used.
-
Serial Number - The issuer-specific identifier of the certificate.
-
Public Key - The public key of the key pair that is associated with the certificate.
-
Signature Algorithm - The algorithm used to sign the certificate.
-
Signature Value - Bit string containing the digital signature.
Other Certificate Data
Other data about the certificate and the collection process is also presented in a Censys certificate record, such as:
-
Trust and validation (
validation
) - Information about the status of the certificate’s trust by modern web browsers. -
Certificate transparency (
ct
) - Information about submissions to CT logs. -
Zlint (
zlint
) - Whether the certificate’s attributes triggered any lints for non-conformance to the X.509 standard. -
Seen in Scan (
ever_seen_in_scan
) - Whether the certificate has ever been seen during a Censys scan of the Internet. This is a one-way boolean. Oncetrue
, it remains that way.
Certificate Trust and Validation
Trust chains are an important part of certificate usage. In order for a certificate to be trusted, the certificate must chain up, through a series of signing certificates, to a root certificate that is present in a major root trust store.
Censys indexes certificate trust information for each root store in a record called validation
.
Certificate Validation Fields For Each Root Store
-
Valid (
is_valid
) - A boolean value for whether the certificate is trusted by the browser using the root store. -
Ever Valid (
ever_valid
) - A boolean value for whether an expired certificate was trusted by the browser before it expired. -
Parents (
parents
) - A list of the fingerprints of the intermediary and root certificates in the chain. -
Chain (
chains
) - A representation of the chain(s) of signing certificates up to the root. -
Had Trusted Path (
had_trusted_path
) - A boolean value for whether the chain was trusted by the browser. -
In Revocation Set (
in_revocation_set
) - Whether the certificate is included in the browser’s list of certs whose trust has been revoked before their expiration.
Censys regularly validates unexpired certificates.
Values of validation fields and related labels are accurate as of the validated_at
timestamp in the certificate record.
ZLint
Censys uses the open-source ZLint tool to lint each certificate in its collection for conformance to X.509 standards.
Lack of conformity to a specification can result in the following types of triggered lints:
-
Notice
-
Warning
-
Error
-
Fatal
Comments
0 comments
Article is closed for comments.