Under maintenance

Pricing

Pay per usage

Try for free

Go to Apify Store

Certificate Transparency Subdomain Search (crt.sh alternative)

Under maintenance

Try for free

Find subdomains and TLS certificates for any domain from Certificate Transparency logs. A fast, working crt.sh alternative for subdomain enumeration, recon and attack-surface mapping. Returns unique hostnames with first/last seen and issuers, or raw certificates.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Sevastian Z

Actor stats

Bookmarked

Total users

Monthly active users

4 days ago

Last modified

What it does

Queries CT logs for a domain (and optionally its subdomains).
Returns either:
- Unique hostnames (default): one row per hostname, deduplicated, with how many certificates referenced it, first/last seen dates and issuers. Ideal for subdomain enumeration.
- Raw certificates: one row per certificate, with all SAN names, issuer and validity window.
Wildcard certificates (*.example.com) are flagged.

Input

Field	Type	Description
`domain`	string, required	Domain to search, e.g. `example.com`
`includeSubdomains`	boolean	Also include certificates issued for subdomains (default `true`)
`output`	`names` \| `certificates`	Aggregate to unique hostnames, or return raw certificates (default `names`)

{ "domain": "example.com", "includeSubdomains": true, "output": "names" }

Output (names mode)

Field	Description
`name`	discovered hostname
`wildcard`	a wildcard certificate covered this name
`cert_count`	how many certificates referenced it
`first_seen` / `last_seen`	earliest / latest certificate `not_before`
`issuers`	certificate authorities that issued for it

Use cases

Subdomain enumeration for recon and bug bounty.
Attack-surface and asset discovery for security teams.
Monitoring which CAs issue certificates for your domains.

CT search finds certificates for your domain. Attackers register lookalike and typosquatted domains and get their own certificates to phish your users. To detect those, scan with Lookalike / Typosquat Domain Scan — it generates lookalike permutations, verifies registration via DNS and RDAP, and scores phishing risk.

Notes

Data comes from public Certificate Transparency logs via the Cert Spotter API. The free tier is rate-limited; if you hit a rate limit, retry in a minute.

SSL Certificate Transparency Search

ryanclinton/crt-sh-search

Search Certificate Transparency (CT) logs via crt.sh to discover every SSL/TLS certificate ever issued for any domain. Enumerate subdomains, audit certificate histories, and monitor for unauthorized certificate issuance -- all through a clean JSON API on Apify with no infrastructure to manage.

Ryan Clinton

Subdomain Finder - Discover Every Subdomain Of A Domain

thirdwatch/subdomain-finder

Discover every subdomain for any apex domain. Merges 4 sources: certificate transparency (crt.sh), HackerTarget, RapidDNS, plus DNS bruteforcing of common names. Verifies each is live via DNS + HTTP probe.

Thirdwatch

Attack Surface Recon: Subdomain Discovery + HTTP Fingerprint

advx/attack-surface-recon

Map a domain's external attack surface. Passive subdomain enumeration with subfinder, HTTP fingerprint with httpx: status, title, server, technology stack, TLS issuer and IP. One dataset row per responding host. For recon, asset discovery and security audits.

Sevastian Z

Subdomain Finder

happitap/subdomain-finder

Subdomain Finder is a high-speed intelligence tool that uncovers subdomains for any target domain using Certificate Transparency (CT) logs. Unlike traditional brute-force tools, it requires no heavy traffic and provides results in seconds.

HappiTap

Subdomain Finder & Reverse IP

canadesk/subdomain-finder-reverse-ip

Enumerate Subdomains and Reverse IPs with RapidDNS, Anubis, AlienVault and crt.sh! It's fast and costs little.

Canadesk Support

218

🔍 Subdomain Finder & CT Log Scraper

taroyamada/subdomain-finder

Map website architectures by extracting subdomains from public Certificate Transparency logs to find unlinked staging sites.

太郎山田

Subdomain Finder & Recon Tool

andok/subdomain-finder

Discover subdomains for any target via passive OSINT sources. Ideal for security bug bounties and attack surface mapping.

Andok

Real Subdomain Finder

onescales/real-subdomain-finder

Discover every subdomain for any domain. Queries 40+ OSINT sources including cert transparency, DNS archives & web scanners. Results enriched with DNS validation, HTTP probing, and subdomain takeover detection. Simple Subdomain Lookup that works!

One Scales

5.0

Subdomain Discovery API

crawland/subdomain-discovery-api

Paginated subdomain enumeration for any registered domain — DNS records, registrar, WHOIS, vendor reputation, and category labels per subdomain, served from the Crawland threat-intelligence backend.

Crawland

SSL Certificate Checker

automation-lab/ssl-certificate-checker

SSL Certificate Checker connects to domains over TLS and inspects their SSL certificates. It returns structured data about certificate validity, expiry, issuer chain, TLS protocol version, cipher suite, and a security grade from A+ to F.