Certificates

Updated
  • Updated on Nov 19, 2025
  • 3 minute(s) read
Prev Next

An expiring SSL certificate on test.com, such as one from Google Trust Services set to lapse on 2025-09-03, often slips past renewal checks amid rapid infrastructure changes. Is it a minor glitch, or an open window for MITM attacks and service outages? Siloed cert trackers across CAs and CDNs fragment oversight, leaving blind spots in your TLS posture.

The Certificates view lists all SSL/TLS certificates associated with a domain or its IP addresses, highlighting expirations, issuers, and statuses in Total View. It surfaces risks via urgency cards (e.g., zero due in 24 hours) and issuer distributions, while the details table breaks down fingerprints, validity windows, and scan contexts, arming teams to harden Encryption before exploits hit.

This view leverages Silent Push's web scanning and passive DNS pulls, complementing Web Search for content ties and Threat Feeds for correlated alerts on weak certs.

Lapsed or misissued certificates enable eavesdropping, spoofing, or compliance failures, as in breaches where unmonitored expirations exposed e-commerce flows. It flags concentrations and timelines, enabling SOCs to proactively triage renewals—a vital function for stretched teams auditing six or more certificates across multiple IP addresses. It identifies anomalies, such as revoked entries indicating compromise, which helps streamline hygiene and vendor risk assessments in defender routines.

Teams link findings to broader hunts, such as expiring certs that align with Threat Feeds spikes, which are essential for PCI-DSS audits or zero-trust rollouts.

How It Works

Silent Push's aggregation engine scans live IPs and historical data for certificate chains, compiling inventories without third-party dependencies. Urgency cards are filtered by horizon (24h/30d); the issuers’ graph visualizes diversity; the table is sorted by status (e.g., two active, four expired).

  • Interconnections: A Google-issued certificate might redirect Web Search queries, while feeding Threat Feeds for exploit intelligence on vulnerable issuers.

  • Filters and compares drill-down data: For example, clicking the 30-day card isolates that lone at-risk entry, ensuring gap-free TLS visibility.

Generate a Set of Results

Input a domain (e.g., test.com) in the search bar to open Total View, then click Certificates.

Example

Query test.com in Certificates: The “Due to Expire" status shows 0 in 24 hours (red) and 1 in 30 days (orange), with the issuers’ graph peaking at 4 for Google Trust Services, out of 6 total. Total Results: 6 (2 Active, 4 Expired).

The table highlights an expired entry:

  • SHA256: 12:7b:43:30:ef:f0:a6:f6...

  • Issuer: Google Trust Services

  • Not Before: 2025-05-04 11:30:32

  • Not After: 2025-08-12 19:59:52

  • IPs Scanned On: 2

  • Status: Expired

are tied to a potential outage vector.

Another active one:

  • SHA256: ed:55:5b:ec:88:40:c1:9...

  • Not After: 2025-11-28 21:48:03

flags ongoing coverage.

  • Hover the graph bar for notes: Description warns of Google’s mono-reliance risking CA outages.

Overview of certificate expiration status for test.com, highlighting active and expired certificates.

Fields

  • ssl.SHA256: The unique SHA-256 fingerprint (e.g., 12:7b:43:30:ef:f0:a6:f6...), for verifying cert integrity against known goods or revocations.

  • ssl.issuer.organization: The issuing entity (e.g., Google Trust Services), with graphs revealing over-reliance that could cascade failures.

  • ssl.not.before: Validity start (e.g., 2025-05-04 11:30:32), anchoring issuance timelines for anomaly hunts.

  • ssl.not.after: Expiration date (e.g., 2025-08-12 19:59:52), fueling urgency filters—post-2025-10-13 views flag overdue ones as high-risk.

  • IPs Scanned On: Detection contexts (e.g., 2 IPs like 203.0.113.5), linking certs to live hosts for pivotable enrichment.

  • Status: Lifecycle state (e.g., Active, Expired, Revoked), color-coded for triage—e.g., Expired in red prompts immediate renewals.

Certificates View

The details table logs all certificates, including expandable attributes for forensic purposes. For bare domains like example.io, it may yield sparse results with fewer than 3.

It includes fingerprints (e.g., truncated hashes), full issuer chains, validity spans, and IP ties. Expand for diffs: Active windows in green, expired gaps in red. Hover rows for expanded info: Chain depths, revocation checks, and pivot links to Web Scanner or external CRLs.

Use Case

Audit issuer diversity, like Google-heavy setups, is vulnerable to targeted CA disruptions in phishing campaigns.

Certificate Results

This view enables bulk ops via Select All (e.g., Copy for ticketing), Choose Field Names for custom views, and Download CSVs for CA reports. Toggle Basic Raw Data for unparsed fields like raw subjects, use Compare to diff issuances across IPs, or Save To feeds/drafts for expiration monitoring.

Tips

  • Triage expirations: First, enter the In 24 Hours card for fire-drill priorities, then expand to 30 Days for queued renewals.

  • Scrutinize graphs: Scan issuer bars for red flags, such as single-vendor dominance, and cross-check with Threat Feeds for compromised CAs.

  • Layer intel: Pair with Web Search to trace active certificates to suspicious redirects.

Related articles