Certificates

Use the Certificates page to view all of the TLS certificates connected to your organization, including default certs that your hosts may have presented. The certificates included here were found from Censys Internet scans, as well as from certificate transparency logs. You may discover some certificates you didn’t know existed.

Figure 1. Certificates list page with default filter set

In the table, you’ll see a catalog of all certificates, indexed by SHA-256 fingerprint. By default, the certificates list is filtered to only show certificates that are in use, which means they were presented by a host during Censys' scan of the Internet.

Other columns in the default view of the table include:

Names on Certificate - Any names for which the certifcate can be used to verify the identity.
Expiration Date - The date on which the certificate expires and can no longer be trusted by browsers if it is live on a site. As of 2017, the maximum validity duration is two years.
Issuer - The certificate authority that issued the certificate.
Subject Organization - The name of the organization to which the certificate was issued, if available.
Self-Signed - Whether or not the certificate is self-signed (i.e., whether the issuer is the same as the subject).

Self-signed certificates can be an indication of an internal or development service not intended to be exposed to the public Internet.
Valid - A Censys indicator of trustworthiness, based on the certificate’s features, including trust anchors, formatting, signatures, validity dates, and more.
Key Type - The encryption algorithm of the public key.

Quick Filters

At the top of the Certificates page are four shortcut filters to allow you to see important issues related to your certificates. Remediate and avoid operational issues using these shortcuts to search.

Figure 2. Certificates list page with quick filters highlighted

Shortcut filters include:

Expired - Expired certs that are live on a host, which may be causing service interruption for your customers.
Expiring in the Next 7 Days - Prioritize replacing these certs to ensure no interruption in service to your customers.
Expiring in the Next 30 Days - Prepare for these expirations by readying new certificates soon.
Current But Not in Use - These certs were seen in public CT logs but not presented by any of your hosts. Check the names on the cert and look into those hosts to make sure everything is expected.

Column Selection

You can hide or display additional columns by clicking the Columns button above the table.

Figure 3. Censys certificates page column selection

Select or deselect the columns to create your desired view.

Additional column options include:

Association Date - The date when the certificate was added to your attack surface.
Browser Trust - A list of browsers that trust the certificate chain. If empty, none of the four major browsers trust the certificate.
Tags - Tags applied to the certificate.
Ownership Status - Whether Censys believes this cert is associated to you (Owned) or not (Unknown).

Sort Columns

The default sorting for the table is ascending (A-Z) for the Domains column. Use the arrows on the other columns to sort the table by those attributes.

Filters

Navigate the certificate listing by paging through the table or applying filters to view certificates with specific properties. These complex filters let you zero in on very specific criteria.

Figure 4. Certificates page with filter builder shown

Filters include:

Association Date - The date when the certificate was added to your attack surface.
Browser Trust - Browsers that trust the certificate chain.
Certificate In Use - Whether a certificate is being presented by an Internet host or not.
Expiration Date - The date on which the certificate expires.
Fingerprint - The unique identifier of a certificate in SHA-256 format.
IP Address/CIDR Block - Certificates in use by an IP addresses or block of IP addresses (in CIDR notation).
Names on Certificate - The name(s) listed on the certificate.
Issuer - The certificate authority that issued the certificate.
Validity - Whether the certificate is considered valid or not, based on trust anchors, formatting, signatures, validity dates, and more.
Self-Signed - Whether the certificate was issued by the same organization using it or not.

Clear Filters

You can clear individual filters by clicking the small “X” next to a filter on top of the certificate list.

Figure 5. Clear filters on the certificates page

By default, the certificates list is filtered to show certificates that are in use, which means they were presented by a host during Censys' scan of the Internet.

Download Certificate Data

You can export the certificate catalog as a comma separated value (CSV) sheet for use in other products and workflows. Click the blue Download CSV button in the right-hand corner. The default filename is CertificateExport.csv.

Figure 6. Download the certificate list as a CSV

Certificate Details

Click on the linked fingerprint to see a certificate detail page with additional information.

Figure 7. Click a certificate in the table to see details

The primary title of the page is the certificate’s common name. The secondary title is the SHA-256 fingerprint.

Any tags applied to the certificate are shown underneath, with an X option to remove them. Add a new tag by clicking the Add Tag button. In the modal that appears, type the name of a new tag and select the color, or choose from existing tags that appear in the dropdown menu.

Figure 8. Remove and add tags to a certificate

Recent Certificate Activity

The first card on the page displays recent activity related to this certificate, taken from the logbook. Activity includes events such as the certificate being added to your organization, and connections between this cert and your hosts.

Figure 9. Cert details page with recent activity highlighted

Clicking the blue View All button at the bottom will expand the card so you can see all events related to this certificate since Censys added it to your organization.

Figure 10. Recent activity card expanded to show all events

If you want to filter the events further, excluding or including only certain types, you can click the Filter button that appears in the top-right corner of the card, and go to the Logbook page, where those refinement options are available.

Filter button goes to Logbook page filtered by certificate events

Figure 11. Filter button to Logbook page filtered by certificate events

The Logbook page will show the SHA-256 fingerprint filter already set for the certificate.

For more information on the events that can appear in the recent activity card, see the logbook article.

Trail

The next card displays a list of assets whose connections to this certificate were used to determine with confidence that it belongs to your organization.

Figure 12. Certificate details page with trail card highlighted

If you decide, after investigating, that you do not want Censys to track this certificate for you, you can click the blue Remove button on the upper right-hand side of the page.

Figure 13. Certificate details with remove button highlighted

This action will remove the asset and put it on an excluded asset list so it will not reappear in subsequent Censys updates.

Certificate Overview

The top portion of panel on the far right of the page provides an overview of the most important certificate identification information, as well as a visual indicator of any problems with the cert.

Cert details with Overview card highlighted

Figure 14. Certificate details with overview highlighted

Information in this section includes:

Common Name - The nominal fully qualified domain name of the certificate
Organization - The organization to which the certificate was issued, if provided in the Subject DN of the certificate.
Certificate Issuer - The name of the certification authority that issued the certificate.
Ownership - A categorization providing a Censys interpretation of whether this cert is associated to you (Owned) or not (Unknown).
Status - Whether or not the certificate is currently in use on a host.

Safety Assessment

The lower portion of far-right panel provides a report on the factors that determine whether there are any risks attached to the use of this certificate, as indicated by the icon at the top of the panel.

Cert details with safety info card highlighted

Figure 15. Certificate details with safety info highlighted

Validity Start Date - The date on which the certificate can be used to verify the identity of the service(s) for which it has been issued.
Expiration Date - The date on which the certificate can no longer be used to verify the identity of the service(s) for which it was issued.
Public Key Type - The type of encryption algorithm used for the certificate’s public key.
Self-Signed - Whether the issuer is the same as the subject.
Browser Trust - Whether each of the four major browser-owning companies (Apple, Microsoft, Google, Mozilla NSS) endorse the chain of trust used by this certificate.

Certificate Information

This card provides detailed information from within the certificate, as well as information about its connections to other assets in your attack surface.

Certificate Details

Figure 16. Certificate information card with details tab open

Subject DN - Information about the identities that the certificate is valid for consisting of a number of key-value pairs called Relative Distinguished Names (RDNs).

Common Relative Distinguished Names found in this field:
- C: Country Name
- CN: Common Name
- L: Locality
- O: Organization
- OU: Organizational Unit
- S: State Or Province Name
Issuer DN - Information about the identity of the certificate issuer in key-value pairs called Relative Distinguished Names (RDNs). See above for common attributes.
SHA-256 - A hash of a body resulting in a unique identifier represented as a 64-digit hexadecimal string.
SHA-1 - A hash of a body resulting in an identifier represented as a 40-digit hexadecimal string.
Serial Number - A certificate identifier unique to the certificate issuer. Used for indexing revocation lists.
Key Usage - The purpose(s) for which the public key may be used.

Common Key Usage Purposes:
- Digital Signature
- Key Encipherment
Extended Key Usage - Other purpose(s) for which the public key may be used, in addition to or in place of the basic purposes already indicated in the key usage extension.

Common Extended Key Usage Purposes:
- Server Authentication
- Client Authentication
- Any
Signature Algorithm - The encryption algorithm for signing certificates with the algorithm OID in parentheses.
Certificate Visibility - This section lists any Certificate Transparency Logs that the cert has been entered in, with the date that they were added.
Last Updated - This meta-data field shows the last time Censys updated information about this certificate (not including its presentation by a host during TLS handshakes).

Hosts Presenting Certificate

Figure 17. Certificate information card with presenting hosts tab open

This list of IP addresses represents hosts that are presenting this certificate during a TLS handshake.

Names on Certificate

Figure 18. Certificate information card with names tab open

This list of names is taken from the CN (Common Name) and Subject Alternative Names (SAN) fields in the certificate, and indicate the named services that this certificate can be used to verify.

Summary

Certificates are vital for maintaining the integrity and security of your organization’s Internet-facing products and services. Use the Censys Platform to easily manage and explore of all of your organization’s certificates.

Other Articles In This Section

In this article:

Quick Filters

Column Selection

Sort Columns