Tag Archives: x509

Using Certificate-Transparency to grab a list of all hostnames a CA has issued certificates for

Certificate Transparency is an approach to improve the security of CAs issuing X.509 certificates by running a public audit-log for all issued certificates. Before a CA issues a certificate, the tbsCertificate structure (which is effectively the whole certificate without the signature) is submitted to a certificate transparency server. Should a CA issue (willingly or due to a compromise) a fraudulent certificate, it is either immediately available in the audit log and can therefore be spotted by an independent third party before it causes damage, or spotting a certificate in the wild that is not included in the audit log is a direct proof that the CA has been compromised.

How to get the hostnames from the log

Since the CT API does not have a single command that returns all the names the CA has issued certificates for, I decided to write a spider by myself in python. The tool is available on github. To download, simply type:

git clone https://github.com/eriktews/certificate-transparency-tools.git
cd certificate-transparency-tools
mkdir out
python download_all_certs.py https://ct1.digicert-ct.com/log out/digicert-
find out/ -name "digicert*precert*" | xargs -n 8000 python get_precert_cn.py | sort -u > all-digicert-pre-certificate-names-sorted.txt

The result should be a sorted list of all hostnames (including with wildcards) digicert every issued a certificate for.

Future work

So far, no special verification of the data supplied by the digicert server is done. Feel free to submit patches on github to improve this code. Also feel free to play with the data and spot any hostnames in the result that looks suspicious to you.