Full Report
The Issuer on a Certificate is completely useless. Many of them are defunct companies or were bought out by another Certificate company. Since certs can last a long time or the purchasing company wants to keep the brand, it will remain the same. Since this is annoying as hell, the author of this post wrote a tool to find the TRUE owner of a certificate: sslmate. Seems like a useful tool when you need to know more about your certificate issuer.
Analysis Summary
# Tool/Technique: SSMLate (Certificate Authority Identification)
## Overview
The "Issuer" field in an SSL/TLS certificate is frequently misleading due to white-labeling, branding persistence, and corporate acquisitions (M&A). SSLMate provides tools and research to identify the **true** Certificate Authority (CA) responsible for a certificate, regardless of the human-readable string in the issuer field. This is critical for incident response, such as revoking unauthorized certificates or validating Certificate Transparency (CT) logs.
## Technical Details
- **Type:** Analysis Tool / Attribution Technique
- **Platform:** Web-based / Cross-platform (Tooling)
- **Capabilities:** Mapping misleading issuer strings to the actual infrastructure-owning CA; CAA record validation.
- **First Seen:** Post published January 18, 2023.
## MITRE ATT&CK Mapping
- **[TA0007 - Discovery]**
- **[T1589.001 - Gather Victim Identity Information: Credentials]**: Identifying certificate owners and legitimate issuers to distinguish between authorized and rogue infrastructure.
- **[TA0042 - Resource Development]**
- **[T1588.004 - Obtain Capabilities: Digital Certificates]**: Understanding how threat actors might leverage white-labeled intermediates to mask the provenance of their infrastructure.
## Functionality
### Core Capabilities
- **CA Attribution:** Resolving "white-label" intermediate certificates (e.g., a "Cloudflare" intermediate actually operated by DigiCert) to the technical owner.
- **Historical Tracking:** Tracing defunct or acquired CA brands (e.g., Baltimore Technologies, GTE, Thawte) to their current parent organizations.
- **Contact Identification:** Enabling security researchers to find the correct entity for reporting compromised private keys and requesting revocations.
### Advanced Features
- **CAA Record Analysis:** Comparing DNS Certification Authority Authorization (CAA) records against the actual issuing CA to identify misconfigurations or unauthorized issuance.
- **Certificate Transparency (CT) Log Analysis:** Monitoring and alerting on certificates issued for specific domains to detect phishing or interception attempts.
## Indicators of Compromise
*Note: These are examples of misleading metadata discussed in the text that can be used to obfuscate certificate origins.*
- **Common Misleading Issuer Names:**
- `Cloudflare, Inc.` (Often DigiCert infrastructure)
- `Baltimore CyberTrust` (Defunct; now DigiCert infrastructure)
- `Blue Coat` (Historic white-label Symantec intermediate)
- `Thawte` (Historical brand; now DigiCert)
- **Network Indicators:**
- `sslmate[.]com` (Author's official site)
- `digicert[.]com` (Common backend CA for white-labels)
## Associated Threat Actors
- **General Use:** This tool is used by security researchers and defenders.
- **Abuse Potential:** While not a "threat actor tool," the concept of **White-label Intermediates** has historically caused concern (e.g., Blue Coat) regarding the potential for TLS interception by entities not traditionally recognized as CAs.
## Detection Methods
- **Manual Inspection:** Beyond the human-readable string, analysts should inspect the Certificate Hierarchy and Cross-Signatures.
- **AIA (Authority Information Access):** Checking the URLs in the certificate's AIA extension to see where the intermediate certificate is actually hosted.
- **OCSP/CRL Endpoints:** Examining the revocation endpoints which often point to the infrastructure of the true CA.
## Mitigation Strategies
- **Implement CAA Records:** Use DNS `CAA` records to strictly define which CAs are authorized to issue certificates for your domain (e.g., `issue "digicert.com"`).
- **CT Log Monitoring:** Utilize Certificate Transparency monitoring services to get alerts when any certificate is issued for your domains.
- **Key Revocation Procedures:** Ensure incident response plans include the specific contact details for the **True Root CA**, not just the reseller or brand name on the certificate.
## Related Tools/Techniques
- **crt.sh:** A popular Certificate Transparency log search engine.
- **Whoarethey:** A related tool by the same author for SSH server identification.
- **Censys / Shodan:** Platforms used to pivot on certificate metadata and SHA-256 fingerprints.