When browsing the web, SSL certificates are every where. You may only associate them as the small locks inside of your browser bar, but beyond securing your data, certificates are a great way for analysts to connect disparate network infrastructure. Modern scanning techniques allow us to perform data requests against every node on the Internet in a matter of hours, meaning we can easily associate a certificate to an IP address hosting it on a regular basis.
Much like a WHOIS record, SSL certificates require information to be supplied by the user in order to generate the final product. Aside from the domain the SSL certificate is being created for (unless self-signed), any of the additional information can be made up by the user. As analysts, where we see the most value from SSL certificates is not necessarily the unique data someone may use when generate the certificate, but where it's hosted.
In order to access an SSL certificate, it needs to be associated with a web server and exposed through a particular port (most often 443). Using mass Internet scans on a weekly basis, it's possible to scan all IP addresses and obtain any certificate being hosted in order to build a historic repository of certificate data. Having a database of IP address to SSL certificate mappings provides analysts with a way to identify overlap in infrastructure.
To further illustrate this concept, imagine an actor has setup a server with a self-signed SSL certificate. After several days, defenders become wise to their infrastructure and block the web server hosting malicious content. Instead of destroying all their hard work, the actor merely copies all the contents (including the SSL certificate) and places them on a new server. As an analyst, a connection can now be made using the unique SHA-1 value of the certificate to say that both web servers (one blocked, one unknown) are connected in some way.
What makes SSL certificates more valuable is that they are capable of making connections that passive DNS or WHOIS data may miss. This means more ways of correlating potential malicious infrastructure and identifying potential operational security failures of actors. PassiveTotal has collected over 30 million certificates from 2013 until present day and provides analyst with the tools to make correlations on certificate content and history.
A detailed walk through of how analysts can use SSL certificates in their analysis can be found here.