Skip to content
QCecuring

HTTPS Endpoint Scanner

The HTTPS Endpoint Scanner connects to TLS-enabled endpoints to extract the full certificate chain, public keys, negotiated cipher suite, and TLS protocol version.

What It Scans

Section titled “What It Scans”

Any host:port combination that accepts TLS connections — web servers, APIs, load balancers, internal microservices, payment gateways, and any other HTTPS-enabled endpoint.

How It Works

Section titled “How It Works”
  1. Opens an SSLSocket connection to the target host:port
  2. Uses a trust-all TrustManager (accepts any certificate, including self-signed)
  3. Performs the TLS handshake
  4. Extracts the full certificate chain from the server
  5. Captures the negotiated cipher suite and TLS protocol version
  6. Parses each certificate for detailed metadata

The scanner does not validate trust — it captures what’s presented regardless of CA trust status. This ensures discovery of self-signed, expired, and internally-issued certificates.

Configuration

Section titled “Configuration”
scanners:
  https-endpoint:
    - endpoints:
        - api.example.com:443
        - internal.service.local:8443
        - payment-gateway.prod:443
      timeoutMs: 10000
ParameterRequiredDefaultDescription
endpointsYesList of host:port targets
timeoutMsNo10000Connection timeout in milliseconds

Assets Produced

Section titled “Assets Produced”
Asset TypeWhat’s Captured
certificatesubject, issuer, serialNumber, signatureAlgorithm, notValidBefore, notValidAfter, isCA, isSelfSigned, keyUsage, SAN entries
public-keyAlgorithm, key size, key bytes (extracted from certificate)
protocolTLS version (1.2/1.3), negotiated cipher suite, all enabled cipher suites

Deduplication

Section titled “Deduplication”

Each certificate is deduplicated using the SHA-256 hash of the DER-encoded certificate bytes. If the same certificate is served by multiple endpoints, it appears once in inventory with references to all endpoints where it was found.

Use Cases

Section titled “Use Cases”
  • Discover all TLS certificates across your web services, APIs, and internal endpoints
  • Identify expiring certificates before they cause outages
  • Find weak protocols — endpoints still using TLS 1.0/1.1 or weak cipher suites
  • Detect self-signed certificates in production environments

Example Output

Section titled “Example Output”
{
  "type": "certificate",
  "fingerprint": "sha256:a1b2c3d4e5f6...",
  "subject": "CN=api.example.com",
  "issuer": "CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US",
  "serialNumber": "03:a1:b2:c3:d4:e5:f6:...",
  "signatureAlgorithm": "SHA256withRSA",
  "notValidBefore": "2024-01-15T00:00:00Z",
  "notValidAfter": "2024-04-15T00:00:00Z",
  "isCA": false,
  "isSelfSigned": false,
  "keyUsage": ["digitalSignature", "keyEncipherment"],
  "san": ["api.example.com", "*.api.example.com"],
  "source": {
    "scanner": "https-endpoint",
    "endpoint": "api.example.com:443"
  }
}

hidden HTTPS Endpoint Scanner configuration

← Back to Scanners Overview | Sensor Setup Guide