Skip to content
QCecuring

Relationships

Relationships

Section titled “Relationships”

The Relationships page renders an interactive SVG graph showing how cryptographic assets relate to each other — issuer chains, key-to-certificate associations, keystore containment, and signer relationships.

hidden Relationship graph showing certificate chain with issuer connections and keystore containment

Relationship Types

Section titled “Relationship Types”

The graph visualizes four types of relationships:

Issuer Chain

Section titled “Issuer Chain”

Certificates linked to their issuing CA certificate. Forms a tree from leaf certificates up to root CAs.

Leaf Cert → Intermediate CA → Root CA

Key Association

Section titled “Key Association”

Private keys or public keys linked to their corresponding certificate.

Private Key ↔ Certificate

Keystore Containment

Section titled “Keystore Containment”

Assets contained within a keystore (JKS, PKCS#12). The keystore is the parent; certificates and keys inside are children.

Keystore (JKS)
  ├── Certificate
  ├── Private Key
  └── Certificate (CA)

Signer Relationship

Section titled “Signer Relationship”

Code signatures linked to the certificate that signed them.

Signature → Signing Certificate

Graph Interaction

Section titled “Graph Interaction”

The SVG graph supports:

  • Pan and zoom — Navigate large relationship graphs
  • Node click — Select an asset to view its details
  • Hover — See asset name and type
  • Layout — Automatic hierarchical layout (issuers above, children below)

How Relationships Are Built

Section titled “How Relationships Are Built”

The RelationshipLinkerService in the API automatically establishes relationships during asset ingestion:

  1. Issuer matching — Compares certificate issuer DN with subject DN of other certificates
  2. Fingerprint linking — Uses parentFingerprint and relatedFingerprints fields set by sensors
  3. Keystore parsing — When a sensor scans a JKS/P12 file, it sets the keystore as parent of contained entries
  4. Key-cert pairing — Matches public key fingerprints between certificates and standalone keys

These relationships are stored on the CryptoAsset document:

{
  "fingerprint": "abc123...",
  "parentFingerprint": "keystore-fp-456...",
  "relatedFingerprints": ["cert-fp-789..."],
  "properties": {
    "issuerCertFingerprint": "issuer-fp-012..."
  }
}

Filtering the Graph

Section titled “Filtering the Graph”

Filter which assets appear in the relationship view:

  • By asset type (show only certificates, or certificates + keys)
  • By scanner source
  • By risk level
  • By specific asset (show all relationships for a selected asset)

hidden Relationship graph filter panel

CycloneDX Dependencies

Section titled “CycloneDX Dependencies”

The relationships visualized here map directly to the dependencies section in CycloneDX export:

{
  "dependencies": [
    {
      "ref": "leaf-cert-fingerprint",
      "dependsOn": ["issuer-cert-fingerprint"]
    },
    {
      "ref": "private-key-fingerprint",
      "dependsOn": ["cert-fingerprint"]
    }
  ]
}

Import/Export for CycloneDX export details.

Section titled “Related”