Certificate ASM Assets
Certificates are vital for maintaining the integrity and security of your organization’s Internet-facing products and services. Use the power of Censys Attack Surface Management to manage and explore all of your organization’s certificates.
Services and devices that don’t belong to your organization’s known inventory can pose a major security risk. Discover how you can identify rogue assets outside of your IP ranges with unexpected configurations or certificates using Censys Search in Attack Surface Management.
You can view the Certificates page to see all of the TLS certificates connected to your organization, including default certs that your hosts may present. The certificates included here are found from Censys Internet scans, as well as from certificate transparency logs. You may discover some certificates you didn’t know existed.
In the table, you see a catalog of all certificates, indexed by SHA-256 fingerprint. By default, the certificates list is filtered to only show certificates that are in use, which means they were presented by a host during the Censys scan of the Internet.
Other columns in the view of the table include:
-
Names on Certificate: Any names for which the certificate can be used to verify the identity.
-
Expiration Date: The date on which the certificate expires and can no longer be trusted by browsers if it is live on a site. As of 2017, the maximum validity duration is 2 years.
-
Issuer: The certificate authority that issued the certificate.
-
Subject Organization: The name of the organization to which the certificate was issued, if available.
-
Self-Signed: Whether or not the certificate is self-signed (whether the issuer is the same as the subject).
Self-signed certificates can be an indication of an internal or development service not intended to be exposed to the public Internet.
-
Valid: A Censys indicator of trustworthiness, based on the certificate’s features, including trust anchors, formatting, signatures, validity dates, and more.
-
Key Type: The encryption algorithm of the public key.
At the top of the Certificates page are 4 shortcut filters to help you see important issues related to your certificates. You can remediate and avoid operational issues using these shortcuts to search.
Shortcut filters include:
-
Expired: Expired certs that are live on a host, which may be causing service interruption for your customers.
-
Expiring in the Next 7 Days: Prioritize replacing these certs to ensure no interruption in service to your customers.
-
Expiring in the Next 30 Days: Prepare for these expirations by readying new certificates soon.
-
Current But Not in Use: These certs were seen in public CT logs but not presented by any of your hosts. Check the names on the cert and look into those hosts to make sure everything is expected.
You can hide or show additional columns by clicking the Columns button above the table.
Select or clear the columns to create your view.
Additional column options include:
-
Association Date: The date when the certificate was added to your attack surface.
-
Browser Trust: A list of browsers that trust the certificate chain. If empty, none of the 4 major browsers trust the certificate.
-
Tags: Tags applied to the certificate.
-
Ownership Status: Whether Censys believes this cert is associated to you (Owned) or not (Unknown).
Navigate the certificate listing by paging through the table or applying filters to view certificates with specific properties. These complex filters let you focus on very specific criteria.
Filters include:
-
Association Date: The date when the certificate was added to your attack surface.
-
Browser Trust: Browsers that trust the certificate chain.
-
Certificate In Use: Whether a certificate is being presented by an Internet host or not.
-
Expiration Date: The date on which the certificate expires.
-
Fingerprint: The unique identifier of a certificate in SHA-256 format.
-
IP Address/CIDR Block: Certificates in use by an IP addresses or block of IP addresses (in CIDR notation).
-
Names on Certificate: The name(s) listed on the certificate.
-
Issuer: The certificate authority that issued the certificate.
-
Validity: Whether the certificate is considered valid or not, based on trust anchors, formatting, signatures, validity dates, and more.
-
Self-Signed: Whether the certificate was issued by the same organization using it or not.
Click the linked fingerprint to see a certificate detail page with additional information.
The primary title of the page is the certificate’s common name. The secondary title is the SHA-256 fingerprint.
Tags are labels you and your team create to apply to assets in your attack surface. When you create a tag, you can also format the tag with a background color. Any tags applied to the certificate are shown underneath, with an X option to remove them.
Add a new tag by clicking Add Tag. In the dialog box that appears, type the name of a new tag and select the color, or select from existing tags that appear in the menu.
The first area on the page shows recent activity related to this certificate, taken from the logbook. Activity includes events such as the certificate being added to your organization, and connections between this cert and your hosts.
Clicking View All at the bottom expands the card so you can see all events related to this certificate after Censys added it to your organization.
If you want to filter the events further, excluding or including only certain types, you can click Filter in the top right corner of the card. Go to the Logbook page, where those refinement options are available.
The Logbook page shows the SHA-256 fingerprint filter already set for the certificate.
The next area shows a list of assets whose connections to this certificate were used to determine with confidence that it belongs to your organization.
If you decide after investigating that you do not want Censys Attack Surface Management to track this certificate for you, you can click Remove on the upper right of the page.
This action removes the asset and puts it on an excluded asset list so it does not reappear in subsequent Censys Attack Surface Management updates.
The top portion of area on the far right provides an overview of the most important certificate identification information, as well as a visual indicator of any problems with the cert.
Information in this section includes:
-
Common Name: The nominal fully qualified domain name of the certificate.
-
Organization: The organization to which the certificate was issued, if provided in the Subject DN of the certificate.
-
Certificate Issuer: The name of the certification authority that issued the certificate.
-
Ownership: A categorization providing a Censys interpretation of whether this cert is associated to you (Owned) or not (Unknown).
-
Status: Whether or not the certificate is currently in use on a host.
The lower area on the right provides a report on the factors that determine whether there are any risks attached to the use of this certificate, as indicated by the icon at the top of the panel.
-
Validity Start Date: The date on which the certificate can be used to verify the identity of the service(s) for which it has been issued.
-
Expiration Date: The date on which the certificate can no longer be used to verify the identity of the service(s) for which it was issued.
-
Public Key Type: The type of encryption algorithm used for the certificate’s public key.
-
Self-Signed: Whether the issuer is the same as the subject.
-
Browser Trust: Whether each of the four major browser-owning companies (Apple, Microsoft, Google, Mozilla NSS) endorse the chain of trust used by this certificate.
This area provides detailed information from within the certificate, as well as information about its connections to other assets in your attack surface.
-
Subject DN: Information about the identities that the certificate is valid for consisting of a number of key-value pairs called Relative Distinguished Names (RDNs).
Common RDNs found in this field:
-
C: Country Name
-
CN: Common Name
-
L: Locality
-
O: Organization
-
OU: Organizational Unit
-
S: State Or Province Name
-
-
Issuer DN: Information about the identity of the certificate issuer in key-value pairs called Relative Distinguished Names (RDNs). See above for common attributes.
-
SHA-256: A hash of a body resulting in a unique identifier represented as a 64-digit hexadecimal string.
-
SHA-1: A hash of a body resulting in an identifier represented as a 40-digit hexadecimal string.
-
Serial Number: A certificate identifier unique to the certificate issuer. Used for indexing revocation lists.
-
Key Usage: The purpose(s) for which the public key may be used.
Common Key Usage Purposes:
-
Digital Signature
-
Key Encipherment
-
-
Extended Key Usage: Other purpose(s) for which the public key may be used, in addition to or in place of the basic purposes already indicated in the key usage extension.
Common Extended Key Usage Purposes:
-
Server Authentication
-
Client Authentication
-
Any
-
-
Signature Algorithm: The encryption algorithm for signing certificates with the algorithm OID in parentheses.
-
Certificate Visibility: This section lists any Certificate Transparency Logs that the cert has been entered in, with the date that they were added.
-
Last Updated: This metadata field shows the last time Censys updated information about this certificate, not including its presentation by a host during TLS handshakes.
Comments
0 comments
Article is closed for comments.