RISKIQ SSL certificate lookups that return an exact match

  • Release version: Zurich
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of RISKIQ SSL certificate lookups that return an exact match

    RISKIQ SSL certificate lookups in ServiceNow display exact match results on the SSL Certificates tab of a security incident record. These results help security analysts verify the validity of SSL certificates by providing detailed information about the certificate issuer and the certificate itself.

    Show full answer Show less

    Key Features

    • Exact Match Results: Show a valid certificate authority (CA) name, aiding in determining whether a website’s SSL certificate is trustworthy.
    • Tabbed Forms View: To view results as described, ServiceNow’s Tabbed forms setting must be enabled in System Settings under Forms.
    • Detailed Certificate Information: The SSL Certificates tab lists issuer names, issuer organizations, and the entities to which certificates are issued, along with other relevant data.
    • Raw Data Access: Selecting an issuer entry opens a detailed SSL Certificate Entry record, including raw data with entity names, categories, subjects, and issuers for deeper analysis.

    Key Outcomes

    • Validation of Trusted Certificates: For certificates issued by recognized public CAs (e.g., Let’s Encrypt), the issuer and subject entities differ, confirming the certificate is not self-signed and is from a trusted authority.
    • Identification of Self-Signed Certificates: Certificates where the issuer and subject are the same entity and not a recognized CA indicate self-signed certificates. These may require further investigation as they are not issued by known trusted authorities.

    Practical Use for ServiceNow Customers

    By leveraging RISKIQ SSL certificate lookups within security incidents, ServiceNow customers can efficiently validate SSL certificates involved in incidents. This enables analysts to distinguish between trusted certificates and potentially risky self-signed certificates, improving incident response and trust assessment processes.

    RISKIQ SSL certificate lookup results for an exact match are displayed on the SSL Certificates tab on the security incident record. An exact match provides a valid certificate authority name, which helps a security incident analyst determine the validity of a website.

    Exact match for a valid SSL certificate

    The following example shows a valid issuer of an SSL certificate from an exact match in the lookup results. Follow the steps to view the results and raw data.

    Note:
    The figures in the following examples are shown with the Tabbed forms setting active in the System Settings. If your screen does not match the view shown below, follow the steps to set tabbed forms.
    1. In the upper-right corner of the banner frame, select the Settings icon.
    2. In the System Settings dialog box that is displayed, select Forms and verify that Tabbed forms and With the Form are selected.
    1. In the security incident record, select the SSL Certificates tab.

      Information about the certificate issuer’s name, the issuer's organization, and who the certificate is issued to (Organization) is displayed along with other data.

      18 items are displayed in the Issuer Name column. The second item (R3) provides a valid certificate authority name (Let's Encrypt) in the Issuer Organization column.

      No information in the Issuer Organization and Issued to columns is displayed for the second item (mail.dgtnetworks.com).
    2. Select the second item in the Issuer namecolumn, which is (R3) to open the entry record. Alternatively, select the information icon next to the item followed by Open record.
    3. Select the Raw Data tab.

      The SSL Certificate Entry record includes the observable in the Raw Data tab under the Entity name column, as well as other data.

      Note in the Category column, the Subject, and Issuer correspond to recognizable entities in the Entity name column. The issuer of this certificate is most likely valid and from a trusted public certificate authority. Also note, the Subject, and Issuer are different entities. These separate entities indicate that the certificate is not an internally signed certificate from an unknown certificate authority.

    Exact match for a self-signed SSL Certificate

    The following example shows results for a self-signed SSL certificate from the lookup. Follow the steps to view the results and raw data.

    1. Navigate back to the security incident record. In the Issuer Name column, select the other item (mail.dgtnetworks.com).
    2. On the open record, select the Raw Data tab.

      The Category column indicates the Issuer (mail.dgtnetworks.com and dgtsbs.DGTNetworks.local) are not trusted public certificate authorities. Also note the Issuer and Subject are the same entity (dgtsbs.DGTNetworks.local), and each contains the name of the observable (dgtsbs). This certificate is possibly a self-signed certificate. Self-signed certificates may warrant further investigation, as these certificates aren't issued by a known certificate authority.