Introduction to Certificates
Certificates are an important part of Internet traffic encryption because they can verify the identities of the services that are communicating to each other. Censys collects certificates in a repository for searching and viewing.
The Censys certificates data set is the most exhaustive collection of X.509 documents in existence, with over ~10 billion and growing daily.
Each Censys cert record contains:
-
Data parsed from the certificate using ZCrypto: an open-source, Go-based, cryptographic library.
-
Trust information from major root stores such as Apple, Google Chrome, Microsoft, and Mozilla NSS.
-
Submission information from Certificate Transparency (CT) logs. Learn more about certificate transparency and its effect on the Censys Certificates repository.
-
Lint results describing non-conformance to the X.509 standard using the ZLint library.
-
Data about Censys collection and observation during scan.
The contents of a certificate are immutable and cannot be changed after the certificate is generated.
Censys parses the contents of each certificate and provides them as searchable fields in an object called parsed
.
Parsed Fields from a Certificate. Not an exhaustive list. See all fields here.
-
Issuer DN: Information about the certificate authority that issued the certificate.
-
Subject DN: Information about the entity that was issued the certificate.
-
Extensions: Additional fields that extend the X.509 spec.
-
Validity Period: The dates from which and to which the certificate can be used.
-
Serial Number: The issuer-specific identifier of the certificate.
-
Public Key: The public key of the key pair that is associated with the certificate.
-
Signature Algorithm: The algorithm used to sign the certificate.
-
Signature Value: Bit string containing the digital signature.
Other data about the certificate and the collection process also appear in a Censys certificate record, such as:
-
Trust and validation (
validation
): Information about the status of the certificate’s trust by modern web browsers. -
Certificate transparency (
ct
): Information about submissions to CT logs. -
Zlint (
zlint
): Whether the certificate’s attributes triggered any lints for non-conformance to the X.509 standard. -
Seen in Scan (
ever_seen_in_scan
): Whether the certificate has ever been seen during a Censys scan of the Internet. This is a one-way boolean. Iftrue
, it remains that way.
Trust chains are an important part of certificate usage. For a certificate to be trusted, the certificate must chain up, through a series of signing certificates, to a root certificate that is present in a major root trust store.
Censys indexes certificate trust information for each root store in a record called validation
.
Certificate Validation Fields For Each Root Store
-
Valid (
is_valid
): A boolean value for whether the certificate is trusted by the browser using the root store. -
Ever Valid (
ever_valid
): A boolean value for whether an expired certificate was trusted by the browser before it expired. -
Parents (
parents
): A list of the fingerprints of the intermediary and root certificates in the chain. -
Chain (
chains
): A representation of the chain(s) of signing certificates up to the root. -
Had Trusted Path (
had_trusted_path
): A boolean value for whether the chain was trusted by the browser. -
In Revocation Set (
in_revocation_set
): Whether the certificate is included in the browser’s list of certs whose trust has been revoked before their expiration.
Censys regularly validates unexpired certificates. Values of validation fields and related labels are accurate as of the validated_at
timestamp in the certificate record.
Comments
0 comments
Article is closed for comments.