crt.sh Certificate Transparency Scraper — SSL Discovery
Pricing
from $3.00 / 1,000 results
crt.sh Certificate Transparency Scraper — SSL Discovery
Discover all SSL/TLS certificates issued for any domain via crt.sh Certificate Transparency logs. Find subdomains, wildcard certs, certificate history, and issuer details.
Pricing
from $3.00 / 1,000 results
Rating
0.0
(0)
Developer
Compute Edge
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
a day ago
Last modified
Categories
Share
crt.sh Certificate Transparency Scraper
Extract SSL/TLS certificate records from crt.sh for any domain. Discover subdomains, wildcard certificates, certificate history, issuers, and validity dates from public Certificate Transparency (CT) logs — no API key required.
What is Certificate Transparency?
Every publicly trusted SSL/TLS certificate must be logged in a public Certificate Transparency log before browsers will trust it. crt.sh is a free public search interface over those logs maintained by Sectigo. This Actor queries it programmatically to return structured JSON output ready for security research, subdomain enumeration, and asset discovery workflows.
Key data fields extracted:
| Field | Description |
|---|---|
commonName | Certificate Common Name (CN), typically the primary domain |
nameValue | Subject Alternative Names (SANs) — all domains covered by the cert |
sanList | SAN entries parsed into a clean array |
issuerName | Full issuer string (e.g. "Let's Encrypt Authority X3") |
notBefore | Certificate valid-from date (YYYY-MM-DD) |
notAfter | Certificate expiry date (YYYY-MM-DD) |
isExpired | Boolean — true if the certificate has expired |
serialNumber | Certificate serial number |
crtshId | crt.sh internal record ID |
crtshUrl | Direct link to the certificate detail page on crt.sh |
queryDomain | The domain that was queried (useful when running multiple domains) |
How to Scrape SSL Certificates with This Actor
- Go to the Input tab in Apify Console.
- Enter one or more domains in the Domains field (e.g.
example.com,%.example.com). - Optionally filter by issuer, validity date range, or toggle expired certs on/off.
- Click Start and wait for the run to complete (most domains finish in under 30 seconds).
- Download results as JSON, CSV, or XLSX from the Dataset tab.
Input Configuration
{"domains": ["example.com", "%.github.com"],"includeExpired": false,"deduplicateSubdomains": true,"issuedAfter": "2024-01-01","issuerFilter": "Let's Encrypt","maxResultsPerDomain": 500}
Wildcard prefix queries: Use %.example.com to find all subdomains. crt.sh treats % as a SQL LIKE wildcard.
Pricing
This Actor uses pay-per-result pricing. Typical costs:
| Usage | Estimated Cost |
|---|---|
| 100 certificate records | ~$0.30 |
| 500 certificate records | ~$1.50 |
| 2,000 certificate records | ~$6.00 |
Large domains (e.g. %.google.com) can return thousands of records — use maxResultsPerDomain to control costs.
Example Output
{"crtshId": 12345678,"issuerCaId": 183267,"issuerName": "C=US, O=Let's Encrypt, CN=R3","commonName": "api.example.com","nameValue": "api.example.com","sanList": ["api.example.com"],"entryTimestamp": "2024-06-01T12:34:56","notBefore": "2024-06-01","notAfter": "2024-08-30","isExpired": false,"serialNumber": "04abc123def456","queryDomain": "%.example.com","crtshUrl": "https://crt.sh/?id=12345678"}
Use Cases
- Security Research: Discover all subdomains of a target to map attack surface.
- Asset Inventory: Audit all SSL certificates issued for your organisation's domains.
- Competitive Intelligence: Track when competitors register new subdomains (new product launches, regional expansions).
- Phishing Detection: Monitor for look-alike certificates (e.g.
%.paypal-secure.com). - Certificate Expiry Monitoring: Find certificates nearing expiration across a portfolio of domains.
Related Actors
- CISA KEV Scraper — Known Exploited Vulnerabilities catalog
FAQ
Does this require login or an API key? No. crt.sh is a free public service. No authentication required.
How fresh is the data? crt.sh ingests CT logs in near real-time (typically within minutes of certificate issuance).
What does %.example.com mean?
The % is a wildcard matching any prefix. %.example.com returns certs for all subdomains of example.com. You can also query example.com (exact) or %.%.example.com for deeper nesting.
Why might some results be missing? Pre-certificate SCTs (pre-issuance log entries) are included in crt.sh results. Some very old certificates predate CT logs and will not appear.
Legal Disclaimer
This Actor queries the publicly available crt.sh interface, which aggregates data from Certificate Transparency logs. Certificate Transparency logs are public by design (RFC 6962). Usage is subject to crt.sh's terms of service. Please use responsibly and avoid hammering the service with excessive concurrent requests. The Actor includes a 1-second polite delay between domain queries. The data extracted contains no personal information — only technical certificate metadata.
For support or feature requests, contact seatsignal on Apify.