SSL Certificate Transforms

Modified on: Wed, 8 Apr, 2020 at 5:05 PM

Overview

This Hub item includes Transforms related to SSL/TLS certificates, including live certificate retrieval and Transforms to query the Certificate Transparency logs using SSLMate Cert Spotter. 

 

Live certificate retrieval allows direct querying a Domain or DNS name for SSL certificates, which can be expanded into other sites that the certificates are valid for, as well as other metadata. 


Cert Spotter is a Certificate Transparency log monitor from SSLMate that alerts you when an SSL/TLS certificate is issued for one of your domains (these Transforms only offer querying of the API; requesting new monitors and alerts is not possible from these Transforms). More information: https://sslmate.com/certspotter/api/. 


To Certificates [Cert Spotter]

Transform Meta Info

Display Name

To Certificates [Cert Spotter]

Transform Name

certspotter.DomainToCerts 

Short Description

Returns active certificates issued to the given domain

Data Source

 

Certificate Transparency Logs via Cert SpotterAPI

Owner

Maltego Tech GmbH

Author

dev@maltego.com 

Input Entity

Domain or DNSName 

Output Entity

X509Certificate

 

Transform Inputs

Input Name

Type

Default Value

Description

Match Wildcards

Boolean

true

Option to include certificates for wildcard DNS names that match the given domain

Include Subdomains

Boolean

true

Option to include certificates issued to sub-domains of the given domain.

Cert Spotter API Key

String

 

The API key for Cert Spotter

 

Description

This Transform retrieves currently valid certificates for the given domain that are present in Certificate Transparency (CT) Logs. It uses the SSL Mate’s Cert Spotter API for searching the logs.


If the input Match Wildcards is set, certificates issued to wildcard DNS names such as *.domain.com are also returned.

If the input Include Subdomains is set, certificates issued to sub-domains (of any depth) of the given domain are also returned. Note that when this input is set to true, it implies a full-domain query and is subjected to a stricter rate-limit by Cert Spotter. See the note below about rate-limiting. Setting this input to false implies a single-hostname query which is less aggressively rate-limited.


The input Cert Spotter API Key allows you to input your own API key if you have purchased it from Cert Spotter.


Please note that this Transform accesses the Cert Spotter API and that queries for the free tier are subject to rate-limits. Currently, unauthenticated users are limited to 100 hostname queries per day (75 per hour), and 10 daily subdomain queries. If your investigation is being held back by rate-limiting, consider purchasing an API key from Cert Spotter. For more information or to obtain an API key, please refer to the Cert Spotter pricing page.


Use Case

You can use this Transform to identify all current, valid certificates present in the CT logs for the given domain. This is useful for discovering any rogue certificates issued to the Domain and for identifying the certificate issuing authority.


This Transform is also useful for identifying “domain squatters”. Domain squatters are persons who purchase domains with the intent of preventing others from purchasing them and/or profiting from ownership of the domains through the eventual reselling of them to buyers who require them. This Transform can be used to check the certificates issued for existing top-level domains like the given domain. We can expect the returned certificates to use similar certificate authorities and then further investigate  any domains which have certificates issued by authorities which did not issue certificates for the other domains.


To Certificate

Transform Meta Info

Display Name

To Certificate

Transform Name

ssl.DomainToCert

Short Description

Fetches the certificate from the TLS server

Data Source

TLS server running at the given domain

Owner

Maltego Tech GmbH

Author

dev@maltego.com

Input Entity

Domain or DNSName

Output Entity

X509Certificate

 

Transform Inputs

Input Name

Type

Default Value

Description

TCP port

String

443

The destination port where the server is listening

 

Description

This Transform, in real-time, fetches the certificate from a TLS server running at the host suggested by the given domain. For this Transform to work, a DNS lookup of the domain should result in an A or AAAA record suggesting that there is a valid hostname. In addition, the TLS server should be running on the port indicated by TCP port input. If not, the Transform will return an error.

 

Note that the DNS lookups are performed by a Transform Server operated by Maltego Technologies and will therefore use the corresponding ISP’s DNS servers.


To Certificate Chain

 

Display Name

To Certificate

Transform Name

ssl.DomainToCerts

Short Description

Fetches the certificate chain from the TLS server

Data Source

TLS server running at the given domain

Owner

Maltego Tech GmbH

Author

dev@maltego.com

Input Entity

Domain or DNSName

Output Entity

X509Certificate

 

Transform Inputs

Input Name

Type

Default Value

Description

TCP port

String

443

The destination port where the server is listening

Description

This Transform is similar to the ‘To Certificate’ Transform, but additionally fetches all the certificates advertised by the TLS server. Multiple certificates are advertised by the TLS servers to convey the certificate chain to the TLS client. This Transform returns all the certificates from this chain. 


Note that the DNS lookups are performed by a Transform Server operated by Maltego Technologies and will therefore use the corresponding ISP’s DNS servers.


To Domains

Transform Meta Info

Display Name

To Domains

Transform Name

ssl.CertToDomains

Short Description

Returns all the identified DNS names

Data Source

 

Owner

Maltego Tech GmbH

Author

dev@maltego.com

Input Entity

X509Certificate

Output Entity

DNSName

 

Description

This Transform returns all the DNS names that are identified by the given certificate. The list of DNS names is obtained from the Subject Alternative Names (SAN) property of the certificate.


Use-Case

This Transform can help discover unknown subdomains or associated domains. If a Certificate retrieved for a given domain is also valid for other domains or subdomains, this Transform is useful in making these visible on the graph.


To Issuer

Transform Meta Info

Display Name

To Issuer

Transform Name

ssl.CertToIssuer

Short Description

Returns the name of the certificate’s issuer, i.e. the certificate authority

Data Source

 

Owner

Maltego Tech GmbH

Author

dev@maltego.com

Input Entity

X509Certificate

Output Entity

Phrase


Description

This Transform returns the name of the certificate authority that issued the given certificate.


To Organization

Transform Meta Info

Display Name

To Organization

Transform Name

ssl.CertToOrganization

Short Description

Returns the organization of the certificate’s subject

Data Source

 

Owner

Maltego Tech GmbH

Author

dev@maltego.com

Input Entity

X509Certificate

Output Entity

Organization

 

Description

This Transform returns the organization name to which the subject of the given certificate belongs. This information is extracted from the subject’s Distinguished Name in the certificate.


Use Case

If the certificate is issued to a subject whose Distinguished Name is: C=US,ST=California,L=San Bruno,O=Freshworks Inc,OU=Freshworks,CN=success.midaxo.com, the organization name is extracted from the substring O=Freshworks Ins as Freshworks Inc


To Country

Transform Meta Info

Display Name

To Country

Transform Name

ssl.CertToCountry

Short Description

Returns the country of the certificate’s subject

Data Source

 

Owner

Maltego Tech GmbH

Author

dev@maltego.com

Input Entity

X509Certificate

Output Entity

Country

 

Description

This Transform identifies and returns the name of the country of the subject to which the given certificate belongs. This information is extracted from the subject’s Distinguished Name in the certificate.


Example

If the certificate is issued to a subject whose Distinguished Name is: C=US,ST=California,L=San Bruno,O=Freshworks Inc,OU=Freshworks,CN=success.midaxo.com, the country is extracted from the substring C=US as US


To Valid From

Transform Meta Info

Display Name

To Valid From

Transform Name

ssl.CertToValidFrom

Short Description

Returns the date from which the certificate is valid

Data Source

 

Owner

Maltego Tech GmbH

Author

dev@maltego.com

Input Entity

X509Certificate

Output Entity

DateTime

 

Description

This Transform returns the start-date of the certificates validity.


To Valid Until

Transform Meta Info

Display Name

To Valid Until

Transform Name

ssl.CertToValidUntil

Short Description

Returns the date until which the certificate is valid

Data Source

 

Owner

Maltego Tech GmbH

Author

dev@maltego.com

Input Entity

X509Certificate

Output Entity

DateTime

 

Description

This Transform returns the end-date of the certificates validity.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.