What Does an SSL Certificate Tell You? Reading TLS Cert Data

Every HTTPS website presents an SSL/TLS certificate when you connect to it. Most people only notice the padlock in their browser — but certificates contain a wealth of structured information that's directly useful for developers building security tooling, fraud detection, and infrastructure checks.

What's inside a TLS certificate?

Subject

The entity the certificate was issued to. For a standard domain certificate this is the domain name itself. For EV (Extended Validation) certificates this also includes the legal organisation name and country.

Issuer

The Certificate Authority (CA) that signed and issued the certificate. Common issuers include:

• Let's Encrypt — free, automated, widely used by developers and smaller sites
• DigiCert — major commercial CA, used by large enterprises
• Sectigo — formerly Comodo, common on commercial hosting
• Google Trust Services — used by Google properties

The issuer can tell you a lot about a site's operator. A phishing site is very unlikely to have a DigiCert OV certificate (which requires identity verification), but may well have a Let's Encrypt cert (which only validates domain control).

Validity window

Certificates have a valid_from and valid_to date. Since 2020, most certificates have a maximum lifetime of 398 days. Checking validity is useful for:

• Monitoring your own certificates for impending expiry
• Detecting very recently issued certs on suspicious domains
• Checking that a certificate isn't expired before trusting a host

Subject Alternative Names (SANs)

The SAN extension lists all hostnames the certificate is valid for. A single certificate might cover example.com, www.example.com, and api.example.com. Wildcard SANs like *.example.com cover all first-level subdomains.

SANs are useful for discovering related infrastructure — if you check a domain's certificate, you may find subdomains you didn't know existed listed in the SAN field.

Certificate transparency logs

Every publicly trusted certificate is logged to Certificate Transparency (CT) logs — public, append-only records of every cert issued. This means you can find all certificates ever issued for a domain, which is useful for subdomain discovery and monitoring for unauthorised certificate issuance.

What a cert can't tell you

A certificate only proves that someone controlled the domain at issuance time. Domain Validation (DV) certificates — which is what Let's Encrypt issues — only verify that the applicant controls the domain, not who they are. An HTTPS padlock does not mean a site is legitimate or safe.

Reading cert data via API

Fetching and parsing TLS certificates programmatically requires connecting to the host and reading the handshake. ResolvDNS handles this for you:

GET https://api.resolvdns.net/domain/stripe.com/ssl
X-API-Key: zr_your_key

Response:

{
  "issuer": "DigiCert Inc",
  "subject": "stripe.com",
  "valid_from": "2025-04-01",
  "valid_to": "2026-04-01",
  "valid": true,
  "san": ["stripe.com", "www.stripe.com", "api.stripe.com"]
}

Practical uses in security tooling

• Certificate expiry monitoring — alert when a cert is within 30 days of expiry
• Phishing detection — flag domains with brand-new Let's Encrypt certs that resemble known brands
• Subdomain enumeration — use SANs and CT logs to map attack surface
• Compliance checks — verify that external vendors and partners maintain valid HTTPS