MITRE ATT&CK Technique
Description
Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner's identity, and the digital signature of an entity that has verified the certificate's contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert) Adversaries may install SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or lending credibility to a credential harvesting site. Installation of digital certificates may take place for a number of server types, including web servers and email servers. Adversaries can obtain digital certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) or create self-signed certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1587/003)). Digital certificates can then be installed on adversary controlled infrastructure that may have been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2021-03-17T20:32:13.793Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may install SSL/TLS certificates that can be used '
'during targeting. SSL/TLS certificates are files that can be '
'installed on servers to enable secure communications between '
'systems. Digital certificates include information about the '
"key, information about its owner's identity, and the digital "
"signature of an entity that has verified the certificate's "
'contents are correct. If the signature is valid, and the '
'person examining the certificate trusts the signer, then they '
'know they can use that key to communicate securely with its '
'owner. Certificates can be uploaded to a server, then the '
'server can be configured to use the certificate to enable '
'encrypted communication with it.(Citation: DigiCert Install '
'SSL Cert)\n'
'\n'
'Adversaries may install SSL/TLS certificates that can be used '
'to further their operations, such as encrypting C2 traffic '
'(ex: [Asymmetric '
'Cryptography](https://attack.mitre.org/techniques/T1573/002) '
'with [Web '
'Protocols](https://attack.mitre.org/techniques/T1071/001)) or '
'lending credibility to a credential harvesting site. '
'Installation of digital certificates may take place for a '
'number of server types, including web servers and email '
'servers. \n'
'\n'
'Adversaries can obtain digital certificates (see [Digital '
'Certificates](https://attack.mitre.org/techniques/T1588/004)) '
'or create self-signed certificates (see [Digital '
'Certificates](https://attack.mitre.org/techniques/T1587/003)). '
'Digital certificates can then be installed on adversary '
'controlled infrastructure that may have been acquired '
'([Acquire '
'Infrastructure](https://attack.mitre.org/techniques/T1583)) '
'or previously compromised ([Compromise '
'Infrastructure](https://attack.mitre.org/techniques/T1584)).',
'external_references': [{'external_id': 'T1608.003',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1608/003'},
{'description': 'DigiCert. (n.d.). How to Install an '
'SSL Certificate. Retrieved April 19, '
'2021.',
'source_name': 'DigiCert Install SSL Cert',
'url': 'https://www.digicert.com/kb/ssl-certificate-installation.htm'},
{'description': 'Kovar, R. (2017, December 11). Tall '
'Tales of Hunting with TLS/SSL '
'Certificates. Retrieved October 16, '
'2020.',
'source_name': 'Splunk Kovar Certificates 2017',
'url': 'https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html'}],
'id': 'attack-pattern--c071d8c1-3b3a-4f22-9407-ca4e96921069',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'resource-development'}],
'modified': '2025-10-24T17:49:19.322Z',
'name': 'Install Digital Certificate',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['PRE'],
'x_mitre_version': '1.1'}