I would like to search for server certificates that have been issued in the past for a website, but how can I find out what they are?
Objective
A crt.sh is a site where you can search for a server certificate issued by a trusted certificate authority. It is operated by Sectigo.
When searching, search by crt.sh (Certificate Search).
You can find the browser-trusted CA certificate here.
Basic search methods
1. Access the crt.sh.
To search for an issued certificate, enter the CN of the subject DN (DN: Distinguished Name) and click “Search” to search.
Advanced search methods
1. Access “crt.sh” and click “Advanced…”.
2. If you want to search by advanced conditions, click “Advanced…” on the above screen. The screen after clicking “Advanced…” is as follows.
3. Detailed search method
Describes some items.
CERTIFICATE
| Select search type: | Usage |
|---|---|
| crt sh ID | In crt.sh, all certificates are given a crt sh ID, so if you know the number, you can search for it. Example: “6770577750” |
| Serial Number | You can search by serial number. You can enter hexadecimal colon-separated serial numbers as they are. |
| Subject Key Identifier | Search by subject key identifier. |
IDENTITY
| Select search type: | Usage |
|---|---|
| commonName(Subject) | Search by commonName. Example: “world-tls.com” |
| organizationalUnitName(Subject) | Search by organizationalUnitName. |
| organizationalName(Subject) | Search by organizationalName. Only OV/EV certificates are eligible. Example: “SECOM Trust Systems CO., LTD” |
| dNSName(SAN) | Search in dNSName. Example: “world-tls.com” |
CA
| Select search type: | Usage |
|---|---|
| ID | Search by CA ID, assigned in the crt.sh. |
| Name | Search by CA name. Example: “%SECOM Passport for Web EV 2.0 CA%” |
4. When the search results are displayed,
select the subject DN of the certificate authority displayed in “CAs”.
5. Certificate authority information is displayed.
| The project name | content |
|---|---|
| Issued Certificates | You can check the number of certificates issued. |
| Unexpired | The number of valid certificates. |
| Expired | The number of expired certificates. |
| Certificates | The certificate authority sends a pre-certificate to the CT Log Server to obtain the SCT from the CT Log Server, but the certificate that obtains the SCT and the SCT is embedded. In the Summary item of the certificate display screen, Leaf certificate is displayed. See RFC6962. |
| Precertificates | A certificate that a certificate authority sends to the CT Log Server to obtain an SCT from the CT Log Server. A certificate without an embedded SCT, also called a pre-certificate. See RFC6962. |
| Enter search term: | If you enter %, it becomes a condition that all certificates can be displayed. |
| Search options | 「Exclude expired certificates?」 If checked, only valid certificates can be displayed. |
| Search | Start a search. |
6. Screen for listing certificates. If it is “%”, it will be a total search.
Screen that filters dNSName by %www.secomtrust.net%.
7.crt.sh The screen where you clicked on the ID.
Revocation
| The project name | content |
|---|---|
| OCSP Check | View the response results from the OCSP responder. |
Certificate Fingerprints
| The project name | content |
|---|---|
| SHA-256 | Certificate display in Censys (separate site). |
Certificate
| The project name | content |
|---|---|
| Run cablint | Inspect compliance with Baseline Requirements. |
| Run x509lint | Tested for X.509 compliance. |
| Run zlint | Inspection with a certificate checking tool created by The ZMap team. |
| Certificate | Certificate download. |
| Serial Number | Searched for the same serial number. If both Leaf certificate and Precertificate are registered, two sheets are displayed. |
| Issuer | View the issuer (certificate authority) of this certificate. |
