Overview
This Hub item includes Transforms related to SSL/TLS certificates, including live certificate retrieval and Transforms to query the Certificate Transparency logs using SSLMate Cert Spotter.
Live certificate retrieval allows direct querying a Domain or DNS name for SSL certificates, which can be expanded into other sites that the certificates are valid for, as well as other metadata.
Cert Spotter is a Certificate Transparency log monitor from SSLMate that alerts you when an SSL/TLS certificate is issued for one of your domains (these Transforms only offer querying of the API; requesting new monitors and alerts is not possible from these Transforms). More information: https://sslmate.com/certspotter/api/.
To Certificates [Cert Spotter]
Transform Meta Info
Display Name | To Certificates [Cert Spotter] |
Transform Name | certspotter.DomainToCerts |
Short Description | Returns active certificates issued to the given domain |
Data Source
| Certificate Transparency Logs via Cert SpotterAPI |
Owner | Maltego Tech GmbH |
Author | |
Input Entity | Domain or DNSName |
Output Entity | X509Certificate |
Transform Inputs
Input Name | Type | Default Value | Description |
Match Wildcards | Boolean | true | Option to include certificates for wildcard DNS names that match the given domain |
Include Subdomains | Boolean | true | Option to include certificates issued to sub-domains of the given domain. |
Cert Spotter API Key | String |
| The API key for Cert Spotter |
Description
This Transform retrieves currently valid certificates for the given domain that are present in Certificate Transparency (CT) Logs. It uses the SSL Mate’s Cert Spotter API for searching the logs.
If the input Match Wildcards is set, certificates issued to wildcard DNS names such as *.domain.com are also returned.
If the input Include Subdomains is set, certificates issued to sub-domains (of any depth) of the given domain are also returned. Note that when this input is set to true, it implies a full-domain query and is subjected to a stricter rate-limit by Cert Spotter. See the note below about rate-limiting. Setting this input to false implies a single-hostname query which is less aggressively rate-limited.
The input Cert Spotter API Key allows you to input your own API key if you have purchased it from Cert Spotter.
Please note that this Transform accesses the Cert Spotter API and that queries for the free tier are subject to rate-limits. Currently, unauthenticated users are limited to 100 hostname queries per day (75 per hour), and 10 daily subdomain queries. If your investigation is being held back by rate-limiting, consider purchasing an API key from Cert Spotter. For more information or to obtain an API key, please refer to the Cert Spotter pricing page.
Use Case
You can use this Transform to identify all current, valid certificates present in the CT logs for the given domain. This is useful for discovering any rogue certificates issued to the Domain and for identifying the certificate issuing authority.
This Transform is also useful for identifying “domain squatters”. Domain squatters are persons who purchase domains with the intent of preventing others from purchasing them and/or profiting from ownership of the domains through the eventual reselling of them to buyers who require them. This Transform can be used to check the certificates issued for existing top-level domains like the given domain. We can expect the returned certificates to use similar certificate authorities and then further investigate any domains which have certificates issued by authorities which did not issue certificates for the other domains.
To Certificate
Transform Meta Info
Display Name | To Certificate |
Transform Name | ssl.DomainToCert |
Short Description | Fetches the certificate from the TLS server |
Data Source | TLS server running at the given domain |
Owner | Maltego Tech GmbH |
Author | dev@maltego.com |
Input Entity | Domain or DNSName |
Output Entity | X509Certificate |
Transform Inputs
Input Name | Type | Default Value | Description |
TCP port | String | 443 | The destination port where the server is listening |
Description
This Transform, in real-time, fetches the certificate from a TLS server running at the host suggested by the given domain. For this Transform to work, a DNS lookup of the domain should result in an A or AAAA record suggesting that there is a valid hostname. In addition, the TLS server should be running on the port indicated by TCP port input. If not, the Transform will return an error.
Note that the DNS lookups are performed by a Transform Server operated by Maltego Technologies and will therefore use the corresponding ISP’s DNS servers.
To Certificate Chain
Display Name | To Certificate |
Transform Name | ssl.DomainToCerts |
Short Description | Fetches the certificate chain from the TLS server |
Data Source | TLS server running at the given domain |
Owner | Maltego Tech GmbH |
Author | dev@maltego.com |
Input Entity | Domain or DNSName |
Output Entity | X509Certificate |
Transform Inputs
Input Name | Type | Default Value | Description |
TCP port | String | 443 | The destination port where the server is listening |
Description
This Transform is similar to the ‘To Certificate’ Transform, but additionally fetches all the certificates advertised by the TLS server. Multiple certificates are advertised by the TLS servers to convey the certificate chain to the TLS client. This Transform returns all the certificates from this chain.
Note that the DNS lookups are performed by a Transform Server operated by Maltego Technologies and will therefore use the corresponding ISP’s DNS servers.
To Domains
Transform Meta Info
Display Name | To Domains |
Transform Name | ssl.CertToDomains |
Short Description | Returns all the identified DNS names |
Data Source |
|
Owner | Maltego Tech GmbH |
Author | dev@maltego.com |
Input Entity | X509Certificate |
Output Entity | DNSName |
Description
This Transform returns all the DNS names that are identified by the given certificate. The list of DNS names is obtained from the Subject Alternative Names (SAN) property of the certificate.
Use-Case
This Transform can help discover unknown subdomains or associated domains. If a Certificate retrieved for a given domain is also valid for other domains or subdomains, this Transform is useful in making these visible on the graph.
To Issuer
Transform Meta Info
Display Name | To Issuer |
Transform Name | ssl.CertToIssuer |
Short Description | Returns the name of the certificate’s issuer, i.e. the certificate authority |
Data Source |
|
Owner | Maltego Tech GmbH |
Author | dev@maltego.com |
Input Entity | X509Certificate |
Output Entity | Phrase |
Description
This Transform returns the name of the certificate authority that issued the given certificate.
To Organization
Transform Meta Info
Display Name | To Organization |
Transform Name | ssl.CertToOrganization |
Short Description | Returns the organization of the certificate’s subject |
Data Source |
|
Owner | Maltego Tech GmbH |
Author | dev@maltego.com |
Input Entity | X509Certificate |
Output Entity | Organization |
Description
This Transform returns the organization name to which the subject of the given certificate belongs. This information is extracted from the subject’s Distinguished Name in the certificate.
Use Case
If the certificate is issued to a subject whose Distinguished Name is: C=US,ST=California,L=San Bruno,O=Freshworks Inc,OU=Freshworks,CN=success.midaxo.com, the organization name is extracted from the substring O=Freshworks Ins as Freshworks Inc
To Country
Transform Meta Info
Display Name | To Country |
Transform Name | ssl.CertToCountry |
Short Description | Returns the country of the certificate’s subject |
Data Source |
|
Owner | Maltego Tech GmbH |
Author | dev@maltego.com |
Input Entity | X509Certificate |
Output Entity | Country |
Description
This Transform identifies and returns the name of the country of the subject to which the given certificate belongs. This information is extracted from the subject’s Distinguished Name in the certificate.
Example
If the certificate is issued to a subject whose Distinguished Name is: C=US,ST=California,L=San Bruno,O=Freshworks Inc,OU=Freshworks,CN=success.midaxo.com, the country is extracted from the substring C=US as US
To Valid From
Transform Meta Info
Display Name | To Valid From |
Transform Name | ssl.CertToValidFrom |
Short Description | Returns the date from which the certificate is valid |
Data Source |
|
Owner | Maltego Tech GmbH |
Author | dev@maltego.com |
Input Entity | X509Certificate |
Output Entity | DateTime |
Description
This Transform returns the start-date of the certificates validity.
To Valid Until
Transform Meta Info
Display Name | To Valid Until |
Transform Name | ssl.CertToValidUntil |
Short Description | Returns the date until which the certificate is valid |
Data Source |
|
Owner | Maltego Tech GmbH |
Author | dev@maltego.com |
Input Entity | X509Certificate |
Output Entity | DateTime |
Description
This Transform returns the end-date of the certificates validity.