Passive SSL

CIRCL Passive SSL is a database storing historical X.509 certificates seen per IP address. The Passive SSL historical data is indexed per IP address, which makes it searchable for incident handlers, security analysts or researchers.

How do you collect the SSL certificates?

The CIRCL Passive SSL database uses public scanning datasets like the excellent scans.io project.

For more information, Passive SSL was presented at FIRST 2015 in Berlin.

How to use the service?

CIRCL Passive SSL is accessible via a REST API and the output is in JSON format.

The REST API is accessible via the following URLs. ‘query’ is to query IP address or CIDR blocks (/32 up to /23). ‘cquery’ is to query per certificate fingerprint and find where the certificate is used per IP address. ‘cfetch’ is to fetch and parse a specified certificate from the Passive SSL store by its fingerprint.

https://www.circl.lu/v2pssl/query/<CIDR block> https://www.circl.lu/v2pssl/cquery/<SHA1 certificate fingerprint> https://www.circl.lu/v2pssl/cfetch/<SHA1 certificate fingerprint>

Query values can be IP addresses or CIDR blocks between /32 up to /23:

https://www.circl.lu/v2pssl/query/172.228.24.0/28

and a sample JSON output:

1 " 172.228.24.7 " : { " certificates " : [ " 37221925980c05deefac014f9a72b4765e716341 " , " 3209cc3ce4f1c22ab64b2e4284100b0022ad2739 " , " 4d34ea92764b3a3149119952f41930ca11348361 " , " 6ad2b04e2196e48bf685752890e811cd2ed60606 " , " c43b30bf08bfb0b92c070f42f51b6980c8ada064 " , " 30d1fd4a296ab1a8831cd56b4110a227f557bfff " , " 79068f16776372aa6b12b83dd2b7288298727f54 " ], " subjects " : { " 37221925980c05deefac014f9a72b4765e716341 " : { " values " : [ " C=JP, ST=Tokyo, L=Minato-ku, O=Sony corporation, OU=NPS, CN=psn-rsc.prod.dl.playstation.net " ]}, " 3209cc3ce4f1c22ab64b2e4284100b0022ad2739 " : { " values " : [ " C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1 " ]}, " 4d34ea92764b3a3149119952f41930ca11348361 " : { " values " : [ " C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root " ]}, " c43b30bf08bfb0b92c070f42f51b6980c8ada064 " : { " values " : [ " C=CY, ST=Cyprus, L=Limassol, O=Blue Capital Markets Limited, OU=IT, CN=www.easy-forex.com " ]}, " 6ad2b04e2196e48bf685752890e811cd2ed60606 " : { " values " : [ " C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA2 " ]}, " 30d1fd4a296ab1a8831cd56b4110a227f557bfff " : { " values " : [ " O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA " ]}, " 79068f16776372aa6b12b83dd2b7288298727f54 " : { " values " : [ " C=CY, ST=Cyprus, L=Limassol, O=Easy Forex, OU=IT, CN=www.easy-forex.com " ]}}}, " 172.228.24.8 " : { " certificates " : [ " 4ab70b97decd784aa60395a351daf4274fd37fca " , " e3fc0ad84f2f5a83ed6f86f567f8b14b40dcbf12 " , " c46fed822dadac3f31f9bb4d1a78a1d9eae4567b " , " 4d34ea92764b3a3149119952f41930ca11348361 " , " 30d1fd4a296ab1a8831cd56b4110a227f557bfff " , " 32f30882622b87cf8856c63db873df0853b4dd27 " ], " subjects " : { " 4ab70b97decd784aa60395a351daf4274fd37fca " : { " values " : [ " C=US, ST=MARYLAND, L=Hanover, O=Allegis Group Inc, OU=IT, CN=*.apac.allegisgroup.com " ]}, " e3fc0ad84f2f5a83ed6f86f567f8b14b40dcbf12 " : { " values " : [ " C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 EV SSL CA - G3 " ]}, " c46fed822dadac3f31f9bb4d1a78a1d9eae4567b " : { " values " : [ " 1.3.6.1.4.1.311.60.2.1.3=AU/businessCategory=Private Organization/serialNumber=85 092 445 442, C=AU/postalCode=1230, ST=NSW, L=Sydney/street=680 George Street, O=HotelClub Pty. Ltd., OU=Engineering, CN=www.hotelclub.cn " ]}, " 4d34ea92764b3a3149119952f41930ca11348361 " : { " values " : [ " C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root " ]}, " 30d1fd4a296ab1a8831cd56b4110a227f557bfff " : { " values " : [ " O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA " ]}, " 32f30882622b87cf8856c63db873df0853b4dd27 " : { " values " : [ " C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 " ]}}}, " 172.228.24.9 " : { " certificates " : [ " 780a06f6e9b4061cad0c6502710606eb535f1c26 " , " 08ff9ecb28facd74dd125ded44f4e0dd6707f902 " , " 2ea71c367d178c843fd21db4fdb630ba54a20dc5 " , " d10050dad40f850c2f84c215929e344ff8c9c552 " ], " subjects " : { " 780a06f6e9b4061cad0c6502710606eb535f1c26 " : { " values " : [ " C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA " ]}, " 08ff9ecb28facd74dd125ded44f4e0dd6707f902 " : { " values " : [ " serialNumber=Dyi4QNdi9bHxOhWakExUXmDdd09Ny/kj, C=US, ST=Texas, L=Dallas, O=FareCompare, LP, OU=Information Technology, CN=www.farecompare.com " ]}, " 2ea71c367d178c843fd21db4fdb630ba54a20dc5 " : { " values " : [ " C=US, O=thawte, Inc., CN=thawte SSL CA - G2 " ]}, " d10050dad40f850c2f84c215929e344ff8c9c552 " : { " values " : [ " C=US, ST=California, L=San Jose, O=Altera Corporation, OU=IT, CN=*.altera.com.cn " ]}}}, " 172.228.24.10 " : { " certificates " : [ " 4b948bf1b5852e1fc0a4ffd73a4087c967e2c968 " , " 780a06f6e9b4061cad0c6502710606eb535f1c26 " , " de28f4a4ffe5b92fa3c503d1a349a7f9962a8212 " ], " subjects " : { " 4b948bf1b5852e1fc0a4ffd73a4087c967e2c968 " : { " values " : [ " serialNumber=votSFS5N71H6C8XC9xvyFnfXnCbjfirr, C=GB, ST=London, L=London, O=News Group Newspapers Ltd, CN=join.thesun.co.uk " ]}, " 780a06f6e9b4061cad0c6502710606eb535f1c26 " : { " values " : [ " C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA " ]}, " de28f4a4ffe5b92fa3c503d1a349a7f9962a8212 " : { " values " : [ " C=US, O=GeoTrust Inc., CN=GeoTrust Global CA " ]}}}, " 172.228.24.11 " : { " certificates " : [ " 780a06f6e9b4061cad0c6502710606eb535f1c26 " , " de28f4a4ffe5b92fa3c503d1a349a7f9962a8212 " , " 542ff5a0a035c1e2f0845fd0ed54ccf9bee2517c " ], " subjects " : { " 780a06f6e9b4061cad0c6502710606eb535f1c26 " : { " values " : [ " C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA " ]}, " de28f4a4ffe5b92fa3c503d1a349a7f9962a8212 " : { " values " : [ " C=US, O=GeoTrust Inc., CN=GeoTrust Global CA " ]}, " 542ff5a0a035c1e2f0845fd0ed54ccf9bee2517c " : { " values " : [ " serialNumber=Y8t0npKVp3Fpoq45a6WRSh/ZdY9/FX3r, C=US, ST=California, L=San Diego, O=INTUIT INC., OU=Tech_Ops, CN=quickbase.intuit.com " ]}}}, " 172.228.24.12 " : { " certificates " : [ " c53e73073f93ce7895de7484126bc303dab9e657 " , " 503006091d97d4f5ae39f7cbe7927d7d652d3431 " , " 3209cc3ce4f1c22ab64b2e4284100b0022ad2739 " , " aca9789a735eb253b410ccb979bb35e5e7dcdea9 " , " 4d34ea92764b3a3149119952f41930ca11348361 " , " 43b31c858772f17f87235272cf339c29160727c7 " ], " subjects " : { " c53e73073f93ce7895de7484126bc303dab9e657 " : { " values " : [ " C=US, O=Entrust, Inc., OU=www.entrust.net/rpa is incorporated by reference, OU=(c) 2009 Entrust, Inc., CN=Entrust Certification Authority - L1C " ]}, " 503006091d97d4f5ae39f7cbe7927d7d652d3431 " : { " values " : [ " O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048) " ]}, " 3209cc3ce4f1c22ab64b2e4284100b0022ad2739 " : { " values " : [ " C=NL, L=Amsterdam, O=Verizon Enterprise Solutions, OU=Cybertrust, CN=Verizon Akamai SureServer CA G14-SHA1 " ]}, " aca9789a735eb253b410ccb979bb35e5e7dcdea9 " : { " values " : [ " C=US, ST=WA, L=Seattle, O=Getty Images, Inc., OU=iStockphoto, CN=secure.istockphoto.com " ]}, " 4d34ea92764b3a3149119952f41930ca11348361 " : { " values " : [ " C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root " ]}, " 43b31c858772f17f87235272cf339c29160727c7 " : { " values " : [ " C=US, ST=Georgia, L=Atlanta, O=The Home Depot, CN=kdlms.homedepot.com " ]}}}, " 172.228.24.13 " : { " certificates " : [ " 780a06f6e9b4061cad0c6502710606eb535f1c26 " , " 1a7d8d6e58caeb72bb4237ffc1c04e8d368c913a " ], " subjects " : { " 780a06f6e9b4061cad0c6502710606eb535f1c26 " : { " values " : [ " C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA " ]}, " 1a7d8d6e58caeb72bb4237ffc1c04e8d368c913a " : { " values " : [ " serialNumber=dVn4HhED532-1HQOwGkA/TovT-JtOEMN, C=US, ST=California, L=Rancho Dominguez, O=Onestop Internet Inc., OU=Onestop Internet, CN=www.onestop.com " ]}}}, " 172.228.24.14 " : { " certificates " : [ " 1ae8aaddeb4e27392c4a549a7df2d6aef4e95e7a " , " 30d1fd4a296ab1a8831cd56b4110a227f557bfff " , " ac8f7c5bc86ef1896f2d161c32a57aab37d364da " , " 4136bb45dd375b8cba5f430d0a03e50edbe7410a " , " 4d34ea92764b3a3149119952f41930ca11348361 " ], " subjects " : { " 1ae8aaddeb4e27392c4a549a7df2d6aef4e95e7a " : { " values " : [ " C=US, ST=SOUTH CAROLINA, L=Hilton Head Island, O=Hilton Head Island-Bluffton Chamber of Commerce, OU=IT, CN=*.hiltonheadisland.org " ]}, " 30d1fd4a296ab1a8831cd56b4110a227f557bfff " : { " values " : [ " O=Cybertrust Inc, CN=Cybertrust Public SureServer SV CA " ]}, " 4d34ea92764b3a3149119952f41930ca11348361 " : { " values " : [ " C=IE, O=Baltimore, OU=CyberTrust, CN=Baltimore CyberTrust Root " ]}, " 4136bb45dd375b8cba5f430d0a03e50edbe7410a " : { " values " : [ " C=DE, ST=Baden-Wuerttemberg, L=Walldorf, O=SAP SE, OU=Cloud Infrastructure Delivery, CN=pilot.support.sap.com " ]}, " ac8f7c5bc86ef1896f2d161c32a57aab37d364da " : { " values " : [ " C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G4 " ]}}}, " 172.228.24.15 " : { " certificates " : [ " 780a06f6e9b4061cad0c6502710606eb535f1c26 " , " afe5fac5f3dae7523b7e2948d72f95f80a5b0e42 " ], " subjects " : { " 780a06f6e9b4061cad0c6502710606eb535f1c26 " : { " values " : [ " C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA " ]}, " afe5fac5f3dae7523b7e2948d72f95f80a5b0e42 " : { " values " : [ " serialNumber=2Fr160kmOjBTWTTIe/pv4hmFm0kiNYOP, C=US, ST=California, L=Ventura, O=Patagonia, OU=Ventura, CN=www.patagonia.com " ]}}}}

Query value in cquery is the SHA1 fingerprint of a certificate:

https://www.circl.lu/v2pssl/cquery/c46fed822dadac3f31f9bb4d1a78a1d9eae4567b

and returns a list of seen IP addresses for the requested certificate:

1 " seen " : [ " 149.13.33.13 " , " 149.13.33.11 " , " 149.13.33.4 " , " 149.13.33.9 " ], " hits " : 4 , " certificate " : " 7c552ab044c76d1df4f5ddf358807bfdcd07fa57 " }

The X509 certificate can be requested by its fingerprint:

https://www.circl.lu/v2pssl/cfetch/7c552ab044c76d1df4f5ddf358807bfdcd07fa57

the raw certificate will be returned, including its readable output:

1 2 " icsi " : { 3 " last_seen " : " 16596 " , 4 " times_seen " : " 5 " , 5 " validated " : " 1 " , 6 " version " : " 1 " , 7 " first_seen " : " 16469 " 8 9 " pem " : " -----BEGIN CERTIFICATE-----

MIIFvDCCBKSgAwIBAgIDBivRMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNVBAYTAkxV

MRYwFAYDVQQKEw1MdXhUcnVzdCBTLkEuMR4wHAYDVQQDExVMdXhUcnVzdCBRdWFs

aWZpZWQgQ0EwHhcNMTQwNzE3MTIyNDE2WhcNMTYwNzE3MTIyNDE2WjCBwDELMAkG

A1UEBhMCTFUxEzARBgNVBAgTCkx1eGVtYm91cmcxEzARBgNVBAcTCkx1eGVtYm91

cmcxPTA7BgNVBAoTNENJUkNMIC0gQ29tcHV0ZXIgSW5jaWRlbnQgUmVzcG9uc2Ug

Q2VudGVyIEx1eGVtYm91cmcxFTATBgNVBAsTDFdlYiBTZXJ2aWNlczETMBEGA1UE

AxQKKi5jaXJjbC5sdTEcMBoGCSqGSIb3DQEJARYNaW5mb0BjaXJjbC5sdTCCASIw

DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALz26kXiY2TfqHukFJMy9BMvWjyS

QntEMZc2VV/uWW8nQ9BT43aEVBK0Y7JcLfEPd72oDs7yQrhqyuSiXVLrJzOu7nI9

LWmEqX/WVZHbS4mdmdo/d2gllirmpClpI6W5v68qUd4zxlSQxrnPzpyVWtmih8Nw

RHGIo/YttLAqjao37CuGHS3ltRTaAB30ToJgfK5fDWvtOjoomRvjZNhTNO/ZEdaw

wygsF8NBDoWyOwoSRqNA9UOuBM70Bdu4VJkCyDJVQzaTx0mPbV+iXmKFj33MyfTx

ZMASXiG+e0+Q1ih53X2+GeDWElbM6lv2XKVP3Ueo4qh43CgBtX1El0zCzf8CAwEA

AaOCAjcwggIzMAwGA1UdEwEB/wQCMAAwYAYIKwYBBQUHAQEEVDBSMCMGCCsGAQUF

BzABhhdodHRwOi8vb2NzcC5sdXh0cnVzdC5sdTArBggrBgEFBQcwAoYfaHR0cDov

L2NhLmx1eHRydXN0Lmx1L0xUUUNBLmNydDCCAQAGA1UdIASB+DCB9TCB6AYIK4Er

AQECBgEwgdswga0GCCsGAQUFBwICMIGgGoGdTHV4VHJ1c3QgU2VydmVyIENlcnRp

ZmljYXRlLiBOb3Qgc3VwcG9ydGVkIGJ5IFNTQ0QsIEtleSBHZW5lcmF0aW9uIGJ5

IFN1YnNjcmliZXIuIEdUQywgQ1AgYW5kIENQUyBvbiBodHRwOi8vcmVwb3NpdG9y

eS5sdXh0cnVzdC5sdS4gU2lnbmVkIGJ5IGEgUXVhbGlmaWVkIENBLjApBggrBgEF

BQcCARYdaHR0cDovL3JlcG9zaXRvcnkubHV4dHJ1c3QubHUwCAYGBACPegEDMBEG

CWCGSAGG+EIBAQQEAwIF4DAOBgNVHQ8BAf8EBAMCBLAwJwYDVR0lBCAwHgYIKwYB

BQUHAwEGCCsGAQUFBwMCBggrBgEFBQcDBDAfBgNVHSMEGDAWgBSNkKMH3RoTd5lM

kqtNQ94/zSlkBTAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8vY3JsLmx1eHRydXN0

Lmx1L0xUUUNBLmNybDAdBgNVHQ4EFgQUfxT4ZRAbCmnrRK2KZDrE4Dxp7dIwDQYJ

KoZIhvcNAQEFBQADggEBAIeg9n+bdv0RouFl++1BlotUD3fXRbhURL0Bzpe6w2hy

RGAFxA1u1AWwtrowQ53Awh6ZJxntHmeYTlchl1Hc79Gt7wHeBI4phack5iTFKJzL

vdLeGYjj4qJ9LNNt2hNf8Z5u72oMe6xq9naBWJibyzrHQgBsdl/iSMBEQbEkcfXW

CDpqMrvhHapkL3zJZE0mIOb2wZ+Xqh7XG+9qqfTVjq+Bi/Ihja2ueV8X+TI/cizr

FU3QrEV4rwIb6FcSX6R5qnlIh8bfm+aDAZCQZXJa9eheeYJw39ibYRxmc6FvR35c

5zWFlvTe1e7OuPN09CyPJHCxfidIFlBDnQzxAiHBgLs=

-----END CERTIFICATE-----

" , 10 " info " : { 11 " subject " : " C=LU, ST=Luxembourg, L=Luxembourg, O=CIRCL - Computer Incident Response Center Luxembourg, OU=Web Services, CN=*.circl.lu/emailAddress=info@circl.lu " , 12 " not_before " : " 2014-07-17T12:24:16+00:00 " , 13 " issuer " : " C=LU, O=LuxTrust S.A., CN=LuxTrust Qualified CA " , 14 " fingerprint " : " 7C552AB044C76D1DF4F5DDF358807BFDCD07FA57 " , 15 " key " : " -----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvPbqReJjZN+oe6QUkzL0

Ey9aPJJCe0QxlzZVX+5ZbydD0FPjdoRUErRjslwt8Q93vagOzvJCuGrK5KJdUusn

M67ucj0taYSpf9ZVkdtLiZ2Z2j93aCWWKuakKWkjpbm/rypR3jPGVJDGuc/OnJVa

2aKHw3BEcYij9i20sCqNqjfsK4YdLeW1FNoAHfROgmB8rl8Na+06OiiZG+Nk2FM0

79kR1rDDKCwXw0EOhbI7ChJGo0D1Q64EzvQF27hUmQLIMlVDNpPHSY9tX6JeYoWP

fczJ9PFkwBJeIb57T5DWKHndfb4Z4NYSVszqW/ZcpU/dR6jiqHjcKAG1fUSXTMLN

/wIDAQAB

-----END PUBLIC KEY-----

" , 16 " keylength " : 2048 , 17 " not_after " : " 2016-07-17T12:24:16+00:00 " , 18 " extension " : { 19 " basicConstraints " : " CA:FALSE " , 20 " subjectKeyIdentifier " : " 7F:14:F8:65:10:1B:0A:69:EB:44:AD:8A:64:3A:C4:E0:3C:69:ED:D2 " , 21 " authorityKeyIdentifier " : " keyid:8D:90:A3:07:DD:1A:13:77:99:4C:92:AB:4D:43:DE:3F:CD:29:64:05

" , 22 " extendedKeyUsage " : " TLS Web Server Authentication, TLS Web Client Authentication, E-mail Protection " , 23 " crlDistributionPoints " : "

Full Name:

URI:http://crl.luxtrust.lu/LTQCA.crl

" , 24 " keyUsage " : " Digital Signature, Key Encipherment, Data Encipherment " , 25 " certificatePolicies " : " Policy: 1.3.171.1.1.2.6.1

User Notice:

Explicit Text: LuxTrust Server Certificate. Not supported by SSCD, Key Generation by Subscriber. GTC, CP and CPS on http://repository.luxtrust.lu. Signed by a Qualified CA.

CPS: http://repository.luxtrust.lu

Policy: 0.4.0.2042.1.3

" , 26 " nsCertType " : " SSL Client, SSL Server, S/MIME " , 27 " authorityInfoAccess " : " OCSP - URI:http://ocsp.luxtrust.lu

CA Issuers - URI:http://ca.luxtrust.lu/LTQCA.crt

" 28 29 30 31

In addition to the certificate, the ICSI SSL Notary Service is added in the JSON output (icsi key).

Old API (version 1)

The old Passive SSL API with /pssl for version 1 will be deactivated on 1st October 2015. Passive SSL client must move to version 2 of the API as described above. Passive SSL authentication will remain the same.

Access to CIRCL Passive SSL

Access to CIRCL Passive SSL is allowed to partners including security researchers or incident analysts worldwide. Contact us if you would like to obtain access.

Python Library to access CIRCL Passive SSL

There is a Python Library called pypssl in order to access CIRCL Passive SSL. The library supports version 1 and version 2 of the API.

You can install the pypssl via PIP.