RISKIQ SSL certificate lookups that return an exact match

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of RISKIQ SSL certificate lookups that return an exact match

    RISKIQ SSL certificate lookup results displaying an exact match appear on the SSL Certificates tab within a security incident record in ServiceNow. These exact matches provide critical details such as valid certificate authority names, which help security analysts verify the authenticity and trustworthiness of a website’s SSL certificate.

    Show full answer Show less

    Viewing Exact Match Results

    To review exact match SSL certificate details:

    • Ensure the Tabbed forms setting is enabled in System Settings for optimal viewing.
    • Open the security incident record and select the SSL Certificates tab.
    • Examine information including the certificate issuer’s name, issuer organization, and the entity to which the certificate was issued.
    • Click an issuer name or its information icon to open the detailed SSL Certificate Entry record.
    • Within the entry, select the Raw Data tab to see expanded details such as the observable entity, subject, and issuer.

    Interpreting Exact Matches for Valid SSL Certificates

    For valid certificates issued by trusted authorities (e.g., Let’s Encrypt), the issuer and subject are distinct entities. The issuer corresponds to a recognized certificate authority, confirming the certificate’s legitimacy.

    Interpreting Exact Matches for Self-Signed SSL Certificates

    Self-signed certificates are identified when the issuer and subject are the same entity and the issuer is not a known public certificate authority. These certificates, often containing the observable’s name, may require further investigation since they are not validated by recognized authorities and could pose potential risks.

    Practical Benefits for ServiceNow Customers

    • Quickly verify SSL certificate authenticity directly within security incident records.
    • Distinguish between trusted certificates and potentially risky self-signed certificates to prioritize investigations.
    • Access detailed raw data to support forensic analysis and incident response decisions.

    RISKIQ SSL certificate lookup results for an exact match are displayed on the SSL Certificates tab on the security incident record. An exact match provides a valid certificate authority name, which helps a security incident analyst determine the validity of a website.

    Exact match for a valid SSL certificate

    The following example shows a valid issuer of an SSL certificate from an exact match in the lookup results. Follow the steps to view the results and raw data.

    Note:
    The figures in the following examples are shown with the Tabbed forms setting active in the System Settings. If your screen does not match the view shown below, follow the steps to set tabbed forms.
    1. In the upper-right corner of the banner frame, click the Settings icon.
    2. In the System Settings dialog box that is displayed, click Forms and verify that Tabbed forms and With the Form are selected.
    1. In the security incident record, click the SSL Certificates tab.
      Figure 1. SSL Certificates tab
      SSL Certificates tab on the Security Incident record.

      Information about the certificate issuer’s name, the issuer's organization, and who the certificate is issued to (Organization) is displayed along with other data.

      18 items are displayed in the Issuer Name column. The second item (R3) provides a valid certificate authority name (Let's Encrypt) in the Issuer Organization column.

      No information in the Issuer Organization and Issued to columns is displayed for the second item (mail.dgtnetworks.com).
    2. Click the second item in the Issuer namecolumn, which is (R3) to open the entry record. Alternatively, click the information icon next to the item followed by Open record.
    3. Select the Raw Data tab.
      Figure 2. Raw Data tab
      Raw data tab.

      The SSL Certificate Entry record includes the observable in the Raw Data tab under the Entity name column, as well as other data.

      Note in the Category column, the Subject, and Issuer correspond to recognizable entities in the Entity name column. The issuer of this certificate is most likely valid and from a trusted public certificate authority. Also note, the Subject, and Issuer are different entities. These separate entities indicate that the certificate is not an internally signed certificate from an unknown certificate authority.

    Exact match for a self-signed SSL Certificate

    The following example shows results for a self-signed SSL certificate from the lookup. Follow the steps to view the results and raw data.

    1. Navigate back to the security incident record. In the Issuer Name column, click the other item (mail.dgtnetworks.com).
      Figure 3. SSL Certificates tab
      SSL Certificate Results tab.
    2. On the open record, select the Raw Data tab.
      Figure 4. Raw Data tab
      SSL Raw Data tab.

      The Category column indicates the Issuer (mail.dgtnetworks.com and dgtsbs.DGTNetworks.local) are not trusted public certificate authorities. Also note the Issuer and Subject are the same entity (dgtsbs.DGTNetworks.local), and each contains the name of the observable (dgtsbs). This certificate is possibly a self-signed certificate. Self-signed certificates may warrant further investigation, as these certificates are not issued by a known certificate authority.