Certificate & SSL Harvesting

Pull hostnames out of live TLS certificates to find assets nothing else surfaces.

TLS certificates are full of hostnames. A cert’s Common Name (CN) and Subject Alternative Names (SANs) list every name the operator put on it — including internal names, dev hosts, and sibling domains that never show up in DNS enumeration or OSINT.

There are two angles: passively reading certificate transparency logs (covered on the Subdomain Enumeration page) and actively grabbing certs off live hosts. This page is the active side. It’s worth doing because it catches certs that were never logged to CT and certs served directly on IPs with no DNS name at all.

Harvest certs from hosts and IPs

Run an nmap service scan against the TLS ports and let the ssl-cert script dump the certificate details, then parse out the names. This is what Arsenic’s as-domains-from-*-ssl-certs scripts do:

# Scan TLS ports on your resolved hosts (and on bare IPs)
nmap -p 443,8443,993,995,8080,8843 -sV -sC --open \
     -iL recon/ips/scope-combined.txt \
     -oA recon/ips/nmap-tls-check

# Extract CN + SAN entries from the nmap output
{
  grep -ohP 'commonName=\K.+'                   recon/ips/nmap-tls-check.nmap
  grep -ohP 'Subject Alternative Name: DNS:\K.+' recon/ips/nmap-tls-check.nmap \
    | sed 's/ DNS://g; s/,/\n/g'
} \
  | sed 's/^\*\.//' | tr 'A-Z' 'a-z' \
  | grep '\.' \
  | grep -vEf blacklist.txt \
  | sort -u \
  | tee recon/ips/ssl-cert-domains.txt

One-liner with httpx

httpx can grab and parse certs in one pass — faster than nmap when you only care about the names:

httpx -l recon/ips/scope-combined.txt \
      -p 443,8443,8080,8843 \
      -tls-grab -json -silent \
  | jq -r '.tls.subject_an[]?, .tls.subject_cn?' \
  | sed 's/^\*\.//' | tr 'A-Z' 'a-z' | sort -u \
  | grep -vEf blacklist.txt \
  | tee recon/ips/ssl-cert-domains.txt

Feed it back into scope

In-scope names that came out of certs are new subdomains/roots:

grep -E '\.(example\.com|example\.net)$' recon/ips/ssl-cert-domains.txt \
  | anew scope-domains-generated.txt

Then loop back to DNS Resolution to resolve the new names. Once a full discovery loop yields nothing new, move on to Host Discovery.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)