Skip to main content
Zondex
login
Browse Stats Pricing Blog Dorks How-To Docs
description

X.509

A standard defining the format of public key certificates, commonly used to verify the authenticity of websites and other digital entities in secure communications.

What is X.509?

X.509 is an international standard defining the format for public key certificates, developed by the International Telecommunication Union (ITU-T). It forms the backbone of Public Key Infrastructure (PKI) and is most prominently used in SSL/TLS (the security layer for HTTPS), securing communications over the internet. An X.509 certificate essentially binds a public key to an identity – typically a person, an organization, or a device like a web server. This binding is asserted by a trusted third party, known as a Certificate Authority (CA).

The certificate contains several critical pieces of information, including: * Subject: The identity of the entity holding the public key (e.g., a domain name, organization name). * Public Key: The cryptographic key used for encryption or verifying digital signatures. * Issuer: The CA that issued the certificate. * Serial Number: A unique identifier for the certificate. * Validity Period: The dates during which the certificate is considered valid. * Signature: The digital signature of the CA, proving its authenticity. * Extensions: Additional information like Key Usage, Extended Key Usage, and Subject Alternative Names (SANs).

How X.509 Works

When you visit a secure website (HTTPS), your browser receives the server's X.509 certificate. The process of verifying this certificate involves several steps:

  1. Trust Anchor: Your browser has a pre-installed list of trusted root CAs. It checks if the server's certificate was issued by one of these trusted roots or by an intermediate CA whose own certificate traces back to a trusted root.
  2. Signature Verification: The browser uses the public key of the issuing CA to verify the digital signature on the server's certificate. If the signature is valid, it confirms that the certificate has not been tampered with and was indeed issued by that CA.
  3. Validity Check: The browser verifies that the certificate has not expired (is within its validity period) and has not been revoked (e.g., via a Certificate Revocation List or OCSP).
  4. Domain Match: It checks if the domain name in the certificate (Subject or SANs) matches the domain you are trying to reach.

If all these checks pass, the browser establishes a secure connection, trusting the identity of the server.

X.509 in Security Research

Security researchers extensively analyze X.509 certificates to uncover potential vulnerabilities, misconfigurations, and threats. This includes:

  • Misconfigurations: Identifying certificates with weak cryptographic parameters (e.g., outdated key sizes or hashing algorithms), incorrect usage flags, or sensitive information exposed in subject fields.
  • Expired or Self-Signed Certificates: Discovering expired certificates that can lead to service interruptions or self-signed certificates used in production environments where a CA-issued certificate is expected, potentially indicating a lack of proper security posture.
  • Certificate Revocation Issues: Investigating issues with Certificate Revocation Lists (CRLs) or Online Certificate Status Protocol (OCSP) that might prevent timely revocation of compromised certificates.
  • Trust Chain Analysis: Mapping certificate chains to identify vulnerabilities in intermediate CAs or detect certificates issued by untrusted or compromised CAs.
  • OSINT & Threat Intelligence: Analyzing certificate data for patterns indicating phishing campaigns, command-and-control servers, or infrastructure associated with malicious actors.

Using Zondex to Find X.509

Zondex, a powerful cybersecurity search engine, allows users to query vast datasets of internet-connected devices, including detailed X.509 certificate information. This enables security professionals to discover, monitor, and analyze certificate deployments globally.

Here are some Zondex query examples:

  • ssl.cert.issuer.cn:"Let's Encrypt": Find all internet-facing services using certificates issued by Let's Encrypt.
  • ssl.cert.subject.cn:"*.example.com": Discover certificates issued for subdomains of example.com.
  • ssl.cert.expired:true port:443: Identify web servers with expired X.509 certificates.
  • ssl.cert.public_key.size:"1024" AND ssl.cert.signature_algorithm:"SHA1": Locate certificates using potentially weak 1024-bit keys and SHA-1 signatures.
  • ssl.cert.subject.organization:"Internal Corp" AND port:8443: Find internal corporate services potentially exposed to the internet, identified by their certificate organization name and a common internal port.
  • ssl.cert.fingerprint.sha256:"d7b8f9e6c1a5b4f3e2d1c0b9a876543210fedcba9876543210fedcba9876543": Search for a specific certificate fingerprint.

Key Takeaways

X.509 certificates are fundamental for establishing trust and securing communications across the internet. They serve as digital passports, verifying identities and ensuring data integrity. Certificate Authorities play a crucial role in maintaining this trust ecosystem. Security researchers leverage X.509 data to uncover vulnerabilities, track threats, and improve overall cybersecurity posture. Zondex empowers these efforts by providing detailed, searchable access to global X.509 certificate information, enabling proactive identification of weaknesses and risks.

search

Try it on Zondex

See X.509 data in action with these search queries:

Open Search
arrow_back
Previous
WAF
Next
XDR
arrow_forward

At a Glance

Term X.509
Updated Mar 14, 2026
menu_book
Browse All Terms
138 terms in the glossary
arrow_forward
support_agent
Zondex Support
Usually replies within minutes
Hi there!
Send us a message and we'll reply as soon as possible.