why_it_matters="A numbered CN family usually signals a reusable service rail rather than a one-off branded page. It tends to expose fleet-style naming, repeated validity cycles, and many sibling hostnames.",
why_it_matters="A large SAN set with environment-style labels usually means one certificate is covering a coordinated platform surface across test, release, support, or tenant slices.",
evidence=[
f"SAN entries: {len(hit.san_entries)}.",
f"Distinct DNS zones in SAN set: {len(zones)}.",
f"Environment tokens visible in Subject CN: {env_token_count(hit.subject_cn)}.",
f"First DNS zones in SAN set: {', '.join(zones[:6])}.",
why_it_matters="A two-name SAN pairing of the apex hostname with its www form is usually a deliberate customer-facing presentation rule rather than an internal platform rail.",
why_it_matters="When one certificate spans several DNS zones, it often reveals a shared service or a migration bridge between branded fronts and underlying service domains.",
f"{len(hits)} current leaf certificates are in scope after local leaf-only verification.",
f"{len(groups)} CN families reduce the raw certificate list into readable naming clusters.",
f"{purpose_summary.category_counts.get('tls_server_only',0)} certificates are strict server-auth and {purpose_summary.category_counts.get('tls_server_and_client',0)} also allow client auth.",
f"{len(report['unique_dns_names'])} unique DNS SAN names were scanned live; the estate collapses into a small number of recurring delivery stacks.",
"The strongest overall reading is a layered operating model: branded public names on top, reusable service rails underneath, and cloud or vendor delivery platforms at the edge.",
]
)
)
lines.append("")
lines.append("## Chapter 1: Method, Integrity, and How To Read This")
lines.append("")
lines.append("**Management Summary**")
lines.append("")
lines.extend(
md_bullets(
[
f"The scan now fails fast if the candidate cap is lower than the live raw match count. Current raw counts: {', '.join(f'{domain}={count}'fordomain,countinreport['raw_match_counts'].items())}.",
f"The live candidate cap used for this run was {report['cap']}, which is safely above the current raw counts.",
f"Leaf-only verification kept {report['verification'].unique_leaf_certificates} certificates and filtered {report['verification'].non_leaf_filtered} CA-style certificates and {report['verification'].precertificate_poison_filtered} precertificate-poison objects.",
f"Every certificate in scope still contains at least one DNS SAN containing one of the configured search terms; exceptions found: {report['missing_matching_san']}.",
]
)
)
lines.append("")
lines.append("Certificate Transparency is the public logging layer for issued certificates. The scan starts there, then reads the actual X.509 certificate bytes, verifies that each object is a real leaf certificate, extracts SAN and Subject CN values, checks revocation state from crt.sh data, and then scans the DNS names seen in SANs.")
lines.append("")
lines.append("A **Subject CN** is the traditional primary name in a certificate. A **SAN** list is the modern list of all names the certificate covers. A **leaf certificate** is the endpoint certificate presented by a service, as distinct from a CA certificate used to sign other certificates.")
lines.append("")
lines.append("## Chapter 2: Certificate Corpus")
lines.append("")
lines.append("**Management Summary**")
lines.append("")
lines.extend(
md_bullets(
[
f"The issuer landscape is concentrated: {', '.join(f'{name} ({count})'forname,countinreport['issuer_family_counts'].most_common())}.",
f"Revocation mix: {rev_counts.get('not_revoked',0)} not revoked, {rev_counts.get('revoked',0)} revoked, {rev_counts.get('unknown',0)} unknown.",
f"Purpose split: {purpose_summary.category_counts.get('tls_server_only',0)} server-only, {purpose_summary.category_counts.get('tls_server_and_client',0)} server+client, and zero client-only, S/MIME, or code-signing certificates.",
f"All {len(hits)} Subject CN values appear literally in the SAN DNS set.",
]
)
)
lines.append("")
lines.append("An **issuer CA** is the certificate authority that signed the endpoint certificate. A **WebPKI-trusted** issuer is one that browsers and operating systems currently trust for public TLS. In this corpus, all visible issuers are live server-auth issuers in the public trust ecosystem.")
"An **Extended Key Usage (EKU)** value tells software what the certificate is allowed to do. "
f"Here the estate is entirely TLS-capable. The only nuance is that {purpose_summary.category_counts.get('tls_server_and_client',0)} certificates also allow `clientAuth`. "
"That does not by itself prove a separate client-certificate estate; in context, they still look like hostname certificates issued from a permissive or older server template."
)
lines.append("")
lines.append("## Chapter 3: Naming Architecture")
lines.append("")
lines.append("**Management Summary**")
lines.append("")
lines.extend(
md_bullets(
[
f"{len(report['numbered_groups'])} numbered CN families point to reusable service rails rather than one-off pages.",
f"{report['public_www_pair_count']} certificates use the clean public front-door pattern of a base name paired with `www`.",
f"{report['multi_zone_hit_count']} certificates span more than one DNS zone in SAN, which is usually a sign of shared platforms, migrations, or multi-brand exposure.",
f"Most common suffixes: {', '.join(f'{suffix} ({count})'forsuffix,countinreport['top_suffixes'])}.",
]
)
)
lines.append("")
lines.append("Hostnames often look arbitrary because they are doing several jobs at once. Some names are for customers, some are for engineers, some encode environment state, and some preserve older platform lineage because renaming working infrastructure is costly.")
"The DNS layer turns a large hostname set into a smaller number of delivery stacks: CDN edges, API gateways, load balancers, and specialist vendor platforms.",
]
)
)
lines.append("")
lines.append("A **CNAME** is a DNS alias, meaning one hostname points to another hostname. An **A** or **AAAA** record is the final address mapping. An **NXDOMAIN** response means the public DNS name does not exist at the moment of the scan. That does not automatically invalidate the certificate-side finding, because certificate and DNS lifecycles can move at different speeds.")
lines.append("## Chapter 5: Where The Certificate View and DNS View Meet")
lines.append("")
lines.append("**Management Summary**")
lines.append("")
lines.extend(
md_bullets(
[
"The certificate layer describes naming and trust; the DNS layer describes delivery and reachability. The same estate becomes legible only when both are read together.",
"Numbered CN families usually behave like shared operational rails in certificates and collapse into repeatable delivery stacks in DNS.",
"Cleaner public names tend to be the presentation layer, while denser SAN sets and multi-zone families tend to expose the platform layer underneath.",
]
)
)
lines.append("")
lines.append("The common ground is operational reality. A brand or product team wants a recognisable public name. A platform team wants a stable service rail. A delivery team wants environment labels and routable front doors. Certificates and DNS show those layers from different angles, which is why the estate looks messy when read from only one side.")
lines.append("## Chapter 6: Confidence, Limits, and Claims")
lines.append("")
lines.append("**Management Summary**")
lines.append("")
lines.extend(
md_bullets(
[
"Strongest claims: issuer trust, leaf-only status, SAN and Subject CN structure, purpose EKU split, DNS stack signatures, and recurring family patterns.",
"Medium-confidence claims: that the estate reflects a layered organisation with brand, platform, and delivery concerns superimposed on each other.",
"Lower-confidence claims: exact meanings of internal abbreviations or exact organisation-chart boundaries inferred from naming alone.",
]
)
)
lines.append("")
lines.append("This report can prove what is visible in public certificate and DNS data. It cannot prove internal governance charts or the exact human meaning of every abbreviation. Where the report interprets rather than measures, it does so by tying the interpretation to repeated observable patterns.")
r"\hypersetup{colorlinks=true,linkcolor=Accent,urlcolor=Accent,pdfauthor={CertTransparencySearch},pdftitle={Consolidated CT, Certificate, and DNS Report}}",
lines.append(r"\section{Method, Integrity, and How To Read This}")
add_summary(
[
f"The scanner now refuses to run if the candidate cap is lower than the live raw match count; current counts are {', '.join(f'{domain}={count}'fordomain,countinreport['raw_match_counts'].items())}.",
f"The live cap used for this run was {report['cap']}.",
r"Certificate Transparency is the public logging layer for issued certificates. The report starts there, validates the actual X.509 certificate bytes, and then scans the DNS names exposed in SANs. A Subject CN is the traditional primary name in a certificate; a SAN list is the modern set of all names the certificate covers."
)
lines.append(r"\section{Certificate Corpus}")
add_summary(
[
f"{len(hits)} current leaf certificates are in scope.",
f"Revocation mix: not revoked={rev_counts.get('not_revoked',0)}, revoked={rev_counts.get('revoked',0)}, unknown={rev_counts.get('unknown',0)}.",
lines.append(r"\section{Confidence, Limits, and Claims}")
add_summary(
[
"Strong claims in this report are the ones tied directly to certificate fields, DNS answers, and trust records.",
"Interpretive claims are constrained to repeated patterns and are stated as readings, not as internal-org certainties.",
"The exact meaning of internal abbreviations cannot be proven from CT and DNS alone.",
]
)
lines.append(
r"The report can prove which issuers are used, which EKU patterns exist, which DNS stacks are visible, and which naming families repeat. It cannot prove the exact internal org chart or the exact human expansion of every short token."
