Certificate & SSL Harvesting
TLS certificates are full of hostnames. A cert’s Common Name (CN) and Subject Alternative Names (SANs) list every name the operator put on it — including internal names, dev hosts, and sibling domains that never show up in DNS enumeration or OSINT.
There are two angles: passively reading certificate transparency logs (covered on the Subdomain Enumeration page) and actively grabbing certs off live hosts. This page is the active side. It’s worth doing because it catches certs that were never logged to CT and certs served directly on IPs with no DNS name at all.
Harvest certs from hosts and IPs
Run an nmap service scan against the TLS ports and let the ssl-cert script dump
the certificate details, then parse out the names. This is what Arsenic’s
as-domains-from-*-ssl-certs scripts do:
# Scan TLS ports on your resolved hosts (and on bare IPs)
nmap -p 443,8443,993,995,8080,8843 -sV -sC --open \
-iL recon/ips/scope-combined.txt \
-oA recon/ips/nmap-tls-check
# Extract CN + SAN entries from the nmap output
{
grep -ohP 'commonName=\K.+' recon/ips/nmap-tls-check.nmap
grep -ohP 'Subject Alternative Name: DNS:\K.+' recon/ips/nmap-tls-check.nmap \
| sed 's/ DNS://g; s/,/\n/g'
} \
| sed 's/^\*\.//' | tr 'A-Z' 'a-z' \
| grep '\.' \
| grep -vEf blacklist.txt \
| sort -u \
| tee recon/ips/ssl-cert-domains.txt
One-liner with httpx
httpx can grab and parse certs in
one pass — faster than nmap when you only care about the names:
httpx -l recon/ips/scope-combined.txt \
-p 443,8443,8080,8843 \
-tls-grab -json -silent \
| jq -r '.tls.subject_an[]?, .tls.subject_cn?' \
| sed 's/^\*\.//' | tr 'A-Z' 'a-z' | sort -u \
| grep -vEf blacklist.txt \
| tee recon/ips/ssl-cert-domains.txt
Feed it back into scope
In-scope names that came out of certs are new subdomains/roots:
grep -E '\.(example\.com|example\.net)$' recon/ips/ssl-cert-domains.txt \
| anew scope-domains-generated.txt
Then loop back to DNS Resolution to resolve the new names. Once a full discovery loop yields nothing new, move on to Host Discovery.