Blog

Welcome to the Hardenize blog. This is where we will document our journey as we make the Internet a more secure place and have some fun and excitement along the way.

27 Feb
2018

Certificate Transparency Database

by Ivan Ristić

For our next key feature, we're happy to announce a database of all public certificates recorded to Certificate Transparency logs. It's another step we're making toward building the best certificate inventory and CT monitoring tool on the market. With the database seamlessly integrated with our product, our customers can now start with only a handful of domain names and have all their certificates in their accounts within seconds. This new database complements our existing real-time CT monitoring features (read about it in our earlier blog post).

As an illustration, take a look at the screenshot below, which shows the certificate status of our demo account. Starting with our domain names, Hardenize went on to search the database of all Certificate Transparency certificates and imported a total of 801 certificates, 121 still valid and 680 that have expired. (We normally don't import expired certificates but were curious on this occasion what is out there for our domain names.)

On the left you can see that we use different colours to differentiate between active certificates and those that have been replaced. Certificates that are no longer being seen on the network will be hidden after a couple of days, but there is a filtering option that enables you to bring them back if you wish.

A very nice thing about this database is that we perform exact, wildcard, prefix matching, which means that we not only import directly-matching certificates, but also discover active subdomains that haven't been configured yet. For the time being we're leaving the newly discovered assets idle, but we'll soon expose a UI that will enable our customers to customise this behaviour. This means that, with auto-monitoring enabled, we will seamlessly discover new hostnames, certificates, and servers and provide immediate feedback about their configuration. Using this feature, our demo account grew from several initial domain names to a total of 390 hostnames.

At the time of writing, our database contains about 310m publicly-trusted certificates, of which about 79m remain valid. We're also seeing over 500 roots in total, as well as about 9k intermediate certificates.

Certificate and asset import is now enabled for all our early customers. As we discover new hosts we inspect the certificate database and import all matching assets. It feels like magic the first time you see it in action.