crt.sh Certificate Transparency Scraper
Pricing
from $2.00 / 1,000 results
crt.sh Certificate Transparency Scraper
Search the crt.sh certificate transparency logs for any domain you control and surface the hosts behind it. Each record carries the common name, every subject alternative name, the issuing authority, serial number, and validity window. Built for attack surface mapping and asset inventory.
Pricing
from $2.00 / 1,000 results
Rating
0.0
(0)
Developer
ParseForge
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
4 days ago
Last modified
Categories
Share
🔐 crt.sh Certificate Transparency Scraper
🚀 Map a domain's certificate footprint in one run. A single search of
github.comreturns 1,060 certificate log entries, each with its common name, subdomains, issuer, and validity window.
🕒 Last updated: 2026-06-04 · 📊 12 fields per record · public Certificate Transparency data · works for any domain you are authorized to assess
Certificate Transparency (CT) logs are public, append-only records of every TLS certificate a Certificate Authority issues. Because a certificate has to name the host it protects, those logs quietly reveal subdomains and internal hostnames that never appear in DNS scans or sitemaps. This actor queries crt.sh, the CT search service operated by Sectigo, and turns the raw log into clean, structured records.
Point it at one or more domains you own or are authorized to test, flip on the wildcard option, and you get back every certificate ever logged for that domain and its subdomains. It is built for defensive security work: attack-surface mapping, asset inventory, and watching your own certificates as they are issued.
| 🎯 Target Audience | 💡 Primary Use Cases |
|---|---|
| Security engineers and blue teams | Attack-surface and subdomain mapping |
| IT and infrastructure teams | Asset inventory of your own hostnames |
| Domain and brand owners | Monitoring certificates issued for your domains |
| Compliance and audit teams | Checking issuers and validity on your estate |
| Researchers and analysts | Studying public CT data at scale |
📋 What the crt.sh Certificate Transparency Scraper does
The actor searches the crt.sh JSON endpoint for each domain you provide. With the wildcard option enabled it queries %.yourdomain.com, so certificates issued to subdomains are included alongside the apex domain. For every certificate in the log it returns one row containing the crt.sh id, the common name, the full list of Subject Alternative Names (SANs) as an array, the issuing CA, the serial number, and the not before, not after, and log entry timestamps. A direct crt.sh/?id= link is added so you can open any certificate in one click.
crt.sh can be slow and sometimes answers with a 502 while it is under load, so the actor retries each query with a generous timeout and backoff, and falls back from the wildcard form to the plain domain if needed.
🎬 Full Demo (🚧 Coming soon)
⚙️ Input
| Field | Type | Required | Description |
|---|---|---|---|
domains | array | Yes | One or more domains to search, one per line, for example github.com. |
includeSubdomains | boolean | No | When on, searches %.domain so subdomain certificates are included. Default true. |
maxItems | integer | No | Cap on rows returned. Free plan is limited to 10. Default 10. |
Example 1 — discover subdomains for one domain
Example 2 — apex certificates only, several domains
⚠️ Good to Know: crt.sh returns every certificate ever logged, including expired and renewed ones, so popular domains produce thousands of rows and the same hostname can appear many times. Only search domains you own or are authorized to assess. This is a defensive, public-data tool.
📊 Output
Each record describes a single certificate from the Certificate Transparency log.
| Field | Type | Description |
|---|---|---|
🆔 id | number | crt.sh internal certificate id. |
🔐 commonName | string | The certificate subject common name. |
🌐 sans | array | Subject Alternative Names (hostnames the cert covers). |
🏢 issuerName | string | Distinguished name of the issuing CA. |
🏷 issuerCaId | number | crt.sh id of the issuing CA. |
🔢 serialNumber | string | Certificate serial number in hex. |
📅 notBefore | string | Start of the validity window. |
⏳ notAfter | string | End of the validity window. |
🕰 entryTimestamp | string | When the certificate was added to the CT log. |
🔗 crtShUrl | string | Direct link to the certificate on crt.sh. |
🎯 queryDomain | string | The domain you searched that produced this row. |
🕒 scrapedAt | string | ISO timestamp when the row was collected. |
❌ error | string | Error message, present only on failed rows. |
Sample record 1
Sample record 2
Sample record 3
✨ Why choose this Actor
- Reads straight from crt.sh, the Certificate Transparency search run by Sectigo, so the data is the public log itself.
- Splits the SAN field into a clean array, which is where most subdomain discovery actually happens.
- Adds a direct
crt.sh/?id=link to every row for one-click inspection. - Built to ride out crt.sh load spikes with retries, a long timeout, and a wildcard to plain-domain fallback.
- No account, no API key, and no proxy needed for the source.
📈 How it compares to alternatives
| Approach | Subdomain coverage | Setup | Structured output |
|---|---|---|---|
| This actor | Every host in CT logs | Paste a domain | One clean row per cert |
| Manual crt.sh browsing | Same source | Copy and paste by hand | None |
| DNS brute forcing | Only names you guess | Wordlists and tooling | Varies |
| Passive DNS services | Often paid | Accounts and keys | Varies |
🚀 How to use
- Sign up for Apify using this link if you do not have an account yet.
- Open the crt.sh Certificate Transparency Scraper and click Try for free.
- Enter one or more domains you own or are authorized to assess, then choose whether to include subdomains.
- Set
maxItemsto control how many certificates you pull, and click Start. - When the run finishes, browse the dataset in the console or pull it from the API for your own tooling.
💼 Business use cases
Attack-surface mapping
| Goal | How |
|---|---|
| Find forgotten hosts | Search your apex domain with the wildcard on and review every SAN. |
| Spot shadow services | Look for staging, vpn, or admin hostnames in the results. |
Asset inventory
| Goal | How |
|---|---|
| List your own certificates | Pull all certs for each domain you own and group by issuer. |
| Track issuers in use | Read issuerName to see which CAs sign your hosts. |
Certificate monitoring
| Goal | How |
|---|---|
| Watch for new issuance | Re-run on a schedule and diff on id to catch new certs. |
| Catch expiring certs | Sort by notAfter to see what lapses soon. |
Compliance and audit
| Goal | How |
|---|---|
| Evidence of coverage | Show that hosts in scope carry valid, current certificates. |
| Validity checks | Verify notBefore and notAfter windows on your estate. |
🔌 Automating crt.sh Certificate Transparency Scraper
Schedule recurring runs in Apify and route the dataset wherever your team works. Connect with Make or Zapier to post new findings, push alerts to Slack, sync rows into a warehouse with Airbyte, trigger a GitHub Action when new certificates appear for a domain, or drop a snapshot into Google Drive for your records.
🌟 Beyond business use cases
- Research: study how Certificate Transparency adoption and issuer mix change over time.
- Personal: check what certificates exist for a domain you own.
- Non-profit: help a small organization inventory its own web presence.
- Experimentation: feed CT data into your own analysis notebooks and dashboards.
🤖 Ask an AI assistant
Paste a dataset row into ChatGPT, Claude, Perplexity, or Microsoft Copilot and ask it to group hostnames, flag certificates nearing expiry, or summarize which issuers sign your domains.
❓ Frequently Asked Questions
What is Certificate Transparency? It is a public, append-only logging system that records every TLS certificate a participating CA issues, so anyone can audit what certificates exist for a domain.
Where does the data come from? From crt.sh, the Certificate Transparency search service operated by Sectigo. The actor reads its public JSON endpoint.
Do I need an API key or account for crt.sh? No. crt.sh is public and keyless. You only need an Apify account to run the actor.
How do I find subdomains?
Enable the include subdomains option. The actor then searches %.yourdomain.com and the SANs in each row list the hostnames the certificate covers.
Why are there duplicate hostnames?
CT logs hold every certificate ever issued, including renewals and pre-certificates, so the same hostname appears once per certificate. Each row still has a unique id.
Does it include expired certificates?
Yes. The log keeps historical entries. Use notAfter to filter out expired ones if you only want current coverage.
Can I search several domains at once? Yes. Add each domain on its own line in the domains field.
Why did a run return fewer rows than expected?
You may have hit your maxItems cap, or crt.sh was under heavy load. The actor retries, but very busy periods can still limit a single query.
Is this legal to use? Certificate Transparency data is public. Use this tool only against domains you own or are explicitly authorized to assess.
What format is the output? A structured dataset with one record per certificate and the fields listed in the Output table, ready to read in the console or pull from the API.
🔌 Integrate with any app
Every run writes to an Apify dataset you can read through the API, webhooks, and the official clients, so the output drops straight into your own security tooling, spreadsheets, or pipelines.
🔗 Recommended Actors
- UK Postcodes Scraper — look up UK postcodes and administrative areas.
- OpenAQ Air Quality Scraper — pull public air quality measurements.
- Open Charge Map Scraper — collect EV charging station data.
- Libraries.io Scraper — gather open source package metadata.
💡 Pro Tip: browse the complete ParseForge collection.
🆘 Need Help? Open our contact form
⚠️ Disclaimer: independent tool, not affiliated with crt.sh or Sectigo. Only publicly available Certificate Transparency data is collected. Use only against domains you own or are authorized to assess.
