The new D4 sensor "Extract TLS certificates from pcap files or network interfaces, fingerprint TLS client/server interactions with ja3/ja3s" which can easily be plugged in to collect TLS certificates and JA3 fingerprints. github.com/D4-project/sen and some test results.
