Documentation
Start typing to search…

Certificates

Certificates are an important part of Internet traffic encryption because they can verify the identities of the services that are communicating with each other. Censys collects certificates in a repository for searching and viewing.

The Censys certificates dataset is the most exhaustive collection of X.509 documents in existence. It contains over 15 billion records and grows daily as new certificates are identified on the public Internet.

Each Censys certificate record contains:

  • Data parsed from the certificate using ZCrypto: an open-source, Go-based, cryptographic library.
  • Trust information from major root stores such as Apple, Google Chrome, Microsoft, and Mozilla NSS.
  • Submission information from Certificate Transparency (CT) logs. Learn more about Certificate Transparency and its effect on the Censys certificates repository.
  • Lint results describing non-conformance to the X.509 standard using the ZLint library.
  • Data about Censys collection and observation during scan.

Certificate collection

Certificates are collected using two methods:

  • Syncing with a number of CT logs.
  • Observing a certificate presented as part of a TLS handshake during a Censys scan of the public Internet (over any protocol).

Parsed certificate data

The contents of a certificate are immutable and cannot be changed after the certificate is generated.

📘

Note

A complete list of all data fields for certificates is available on the data definitions page in the Legacy Search web app.

Censys parses the contents of each certificate and provides them as searchable fields in an object called parsed.

Parsed Fields from a Certificate. This is not an exhaustive list. See all fields here.

  • Issuer DN: Information about the certificate authority that issued the certificate.
  • Subject DN: Information about the entity that was issued the certificate.
  • Extensions: Additional fields that extend the X.509 spec.
  • Validity Period: The dates from which and to which the certificate can be used.
  • Serial Number: The issuer-specific identifier of the certificate.
  • Public Key: The public key of the key pair that is associated with the certificate.
  • Signature Algorithm: The algorithm used to sign the certificate.
  • Signature Value: Bit string containing the digital signature.

Other certificate data

Other data about the certificate and the collection process also appear in a Censys certificate record, such as:

  • Trust and validation (validation): Information about the status of the certificate’s trust by modern web browsers.
  • Certificate transparency (ct): Information about submissions to CT logs.
  • ZLint (zlint): Whether the certificate’s attributes triggered any lints for non-conformance to the X.509 standard.
  • Seen in Scan (ever_seen_in_scan): Whether the certificate has ever been seen during a Censys scan of the Internet. This is a one-way boolean. If true, it remains that way.

Certificate trust and validation

Trust chains are an important part of certificate usage. For a certificate to be trusted, the certificate must chain up, through a series of signing certificates, to a root certificate that is present in a major root trust store.

Censys indexes certificate trust information for each root store in a record called validation.

Certificate validation fields for each root store

  • Valid (is_valid): A boolean value for whether the certificate is trusted by the browser using the root store.
  • Ever Valid (ever_valid): A boolean value for whether the browser trusted an expired certificate before it expired.
  • Parents (parents): A list of the fingerprints of the intermediary and root certificates in the chain.
  • Chain (chains): A representation of the chain(s) of signing certificates up to the root.
  • Had Trusted Path (had_trusted_path): A boolean value for whether the browser trusted the chain.
  • In Revocation Set (in_revocation_set): Whether the certificate is included in the browser’s list of certs whose trust has been revoked before their expiration.

Censys regularly validates unexpired certificates. Values of validation fields and related labels are accurate as of the validated_at timestamp in the certificate record.

ZLint

Censys uses the open-source ZLint tool to lint each certificate in its collection for conformance to X.509 standards.

Lack of conformity to a specification can result in the following types of triggered lints:

  • Notice
  • Warning
  • Error
  • Fatal

Updated 15 days ago