Pricing

from $3.00 / 1,000 certificate fetcheds

SSL Certificate Transparency Search

Search Certificate Transparency logs via crt.sh to find SSL/TLS certificates for any domain. Enumerate subdomains, monitor certificate issuance, detect unauthorized certs, and audit certificate sprawl. Returns deduplicated subdomains or individual certificate records.

Pricing

from $3.00 / 1,000 certificate fetcheds

Rating

0.0

(0)

Developer

ryan clinton

Actor stats

Bookmarked

Total users

Monthly active users

4 hours ago

Last modified

Why use this actor?

Structured output from a messy source -- crt.sh returns raw HTML tables by default. This actor queries its JSON API endpoint and delivers clean, typed results ready for pipelines, dashboards, and integrations.
Automatic subdomain aggregation -- instead of wading through thousands of individual certificate records, get a deduplicated list of unique subdomains with first-seen/last-seen dates, certificate counts, and active status in a single run.
No API key required -- Certificate Transparency logs are public records mandated by RFC 6962. This actor queries the largest public CT log aggregator (crt.sh) at zero external cost.
Schedulable monitoring -- run on a recurring schedule via Apify to detect new certificate issuance, catch unauthorized certs, or spot phishing domains targeting your brand before they cause damage.
Built-in resilience -- handles crt.sh timeouts (120-second abort controller), empty responses, and malformed data gracefully with clear error messages.

Key features

Two output modes -- choose between deduplicated subdomain summaries (default) or granular individual certificate records depending on your use case.
Subdomain enumeration -- discover every subdomain that has ever had an SSL/TLS certificate issued, a critical first step in attack surface mapping and security reconnaissance.
Expired certificate filtering -- optionally exclude expired certificates to focus only on currently active infrastructure.
First-seen / last-seen tracking -- see exactly when each subdomain first appeared in CT logs and when it was most recently observed, useful for tracking infrastructure changes.
Active status indicator -- each subdomain includes an isActive boolean flag computed from the latest certificate's expiration date.
SAN extraction -- Subject Alternative Names are parsed from multi-line name_value fields and wildcard entries (e.g., *.example.com) are normalized to their base domain.
Certificate metadata -- get issuer name, common name, serial number, validity window, entry timestamp, and direct crt.sh links for every record.
Configurable result limits -- return anywhere from 1 to 5,000 results per run to balance completeness against processing time.
Wildcard subdomain search -- when includeSubdomains is enabled, the actor automatically prepends %. to your domain query for comprehensive subdomain discovery.
Direct crt.sh links -- every result includes a clickable URL back to the crt.sh web interface for manual verification and deeper investigation.

How to use

From the Apify Console

Go to the SSL Certificate Transparency Search actor page and click Start.
Enter a domain name (e.g., example.com) in the Domain field.
Configure optional settings:
- Toggle Include Subdomains to search for all subdomains (enabled by default).
- Toggle Include Expired Certificates to include or exclude expired certs.
- Toggle Deduplicate Subdomains for aggregated subdomain output versus raw certificate records.
- Set Max Results to control the number of returned items (default: 100).
Click Start and wait for the run to complete.
Download results in JSON, CSV, Excel, or other formats from the Dataset tab.

Via the Apify API (JavaScript)

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_APIFY_TOKEN' });

const run = await client.actor('ryanclinton/crt-sh-search').call({
    domain: 'example.com',
    includeExpired: false,
    includeSubdomains: true,
    deduplicateSubdomains: true,
    maxResults: 500,
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Via the Apify API (Python)

from apify_client import ApifyClient

client = ApifyClient("YOUR_APIFY_TOKEN")

run = client.actor("ryanclinton/crt-sh-search").call(run_input={
    "domain": "example.com",
    "includeExpired": False,
    "includeSubdomains": True,
    "deduplicateSubdomains": True,
    "maxResults": 500,
})

items = client.dataset(run["defaultDatasetId"]).list_items().items
for item in items:
    print(item)

Input parameters

Parameter	Type	Required	Default	Description
`domain`	String	Yes	--	Domain to search for certificates (e.g., `example.com`). Use `%.example.com` for manual wildcard subdomain search.
`includeExpired`	Boolean	No	`true`	Include certificates that have already expired in the results.
`includeSubdomains`	Boolean	No	`true`	Automatically prepend `%` wildcard to search for all subdomains of the domain.
`deduplicateSubdomains`	Boolean	No	`true`	Return unique subdomains with aggregated metadata instead of individual certificate records.
`maxResults`	Integer	No	`100`	Maximum number of results to return (1--5,000).

Example input (JSON)

{
    "domain": "example.com",
    "includeExpired": false,
    "includeSubdomains": true,
    "deduplicateSubdomains": true,
    "maxResults": 500
}

Tips

Set includeExpired to false when you only care about currently active infrastructure -- this dramatically reduces noise for domains with long histories.
For large domains that time out, try a more specific subdomain query like cloud.example.com instead of the top-level domain.
Increase maxResults to 1,000+ for comprehensive security audits where complete subdomain coverage matters.

Output

Subdomain discovery mode (default)

When deduplicateSubdomains is true, the actor aggregates certificate records into unique subdomains:

[
    {
        "subdomain": "mail.example.com",
        "firstSeen": "2019-03-15T12:30:45.000Z",
        "lastSeen": "2025-01-10T08:22:11.000Z",
        "certificateCount": 14,
        "latestIssuer": "C=US, O=Let's Encrypt, CN=R3",
        "latestNotBefore": "2025-01-10T00:00:00.000Z",
        "latestNotAfter": "2025-04-10T00:00:00.000Z",
        "isActive": true,
        "crtshUrl": "https://crt.sh/?q=mail.example.com"
    }
]

Field	Type	Description
`subdomain`	String	The unique subdomain found in CT logs (wildcards normalized to base domain).
`firstSeen`	String (ISO 8601)	Timestamp of the earliest certificate entry for this subdomain.
`lastSeen`	String (ISO 8601)	Timestamp of the most recent certificate entry for this subdomain.
`certificateCount`	Integer	Total number of certificate records referencing this subdomain.
`latestIssuer`	String	Issuer distinguished name of the most recent certificate.
`latestNotBefore`	String (ISO 8601)	Start of validity for the most recent certificate.
`latestNotAfter`	String (ISO 8601)	End of validity for the most recent certificate.
`isActive`	Boolean	`true` if the latest certificate's `notAfter` date is in the future.
`crtshUrl`	String (URL)	Direct link to search this subdomain on crt.sh.

Certificate record mode

When deduplicateSubdomains is false, the actor returns individual certificate records:

[
    {
        "certificateId": 12345678901,
        "issuerName": "C=US, O=Let's Encrypt, CN=R3",
        "commonName": "example.com",
        "subjectAlternativeNames": ["example.com", "www.example.com"],
        "serialNumber": "04a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7",
        "notBefore": "2025-01-15T00:00:00.000Z",
        "notAfter": "2025-04-15T00:00:00.000Z",
        "isExpired": false,
        "entryTimestamp": "2025-01-15T01:23:45.678Z",
        "crtshUrl": "https://crt.sh/?id=12345678901"
    }
]

Field	Type	Description
`certificateId`	Integer	Unique crt.sh certificate ID.
`issuerName`	String	Distinguished name of the Certificate Authority that issued this cert.
`commonName`	String	The certificate's Common Name (CN) field.
`subjectAlternativeNames`	String[]	All SANs listed on the certificate, parsed from newline-delimited values.
`serialNumber`	String	Hex-encoded serial number of the certificate.
`notBefore`	String (ISO 8601)	Start of the certificate's validity period.
`notAfter`	String (ISO 8601)	End of the certificate's validity period.
`isExpired`	Boolean	`true` if `notAfter` is in the past at the time of the run.
`entryTimestamp`	String (ISO 8601)	When this certificate was logged in CT logs.
`crtshUrl`	String (URL)	Direct link to this certificate on crt.sh.

Use cases

Attack surface mapping -- discover all subdomains of a target organization by enumerating their certificate history, a standard first step in penetration testing and red team engagements.
Phishing domain detection -- monitor CT logs for certificates containing your brand name to catch lookalike domains before they are used in phishing campaigns.
Certificate lifecycle auditing -- track certificate issuance patterns, identify CAs in use, and spot certificates nearing expiration across your entire domain portfolio.
Shadow IT discovery -- find subdomains and services that were provisioned outside of official IT channels by detecting certificates issued for unexpected hostnames.
Compliance monitoring -- verify that certificates are being issued only by approved Certificate Authorities and that no unauthorized certs exist for your domains.
Infrastructure change tracking -- compare subdomain lists over time to detect new services being deployed or old ones being decommissioned.
Incident response -- during a security incident, quickly enumerate all certificates and subdomains associated with a compromised domain to assess the scope of exposure.
Competitive intelligence -- analyze a competitor's publicly visible infrastructure footprint through their certificate history to understand their technology stack and scale.
DevOps certificate inventory -- maintain an up-to-date inventory of all SSL/TLS certificates across your organization's domains for renewal planning and lifecycle management.

API & integration

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_APIFY_TOKEN")
run = client.actor("ryanclinton/crt-sh-search").call(run_input={
    "domain": "example.com",
    "includeExpired": False,
    "deduplicateSubdomains": True,
    "maxResults": 200,
})
for item in client.dataset(run["defaultDatasetId"]).list_items().items:
    print(f"{item['subdomain']} - Active: {item['isActive']} - Certs: {item['certificateCount']}")

JavaScript

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_APIFY_TOKEN' });
const run = await client.actor('ryanclinton/crt-sh-search').call({
    domain: 'example.com',
    includeExpired: false,
    deduplicateSubdomains: true,
    maxResults: 200,
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
    console.log(`${item.subdomain} - Active: ${item.isActive} - Certs: ${item.certificateCount}`);
});

cURL

curl "https://api.apify.com/v2/acts/ryanclinton~crt-sh-search/runs" \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_APIFY_TOKEN" \
  -d '{"domain":"example.com","includeExpired":false,"maxResults":200}'

Integrations

This actor outputs standard Apify datasets compatible with all platform integrations including Google Sheets, Slack, Zapier, Make (Integromat), GitHub, webhooks, and the Apify REST API. Use webhooks to trigger alerts when new certificates are detected for your domains.

How it works

The actor follows a straightforward pipeline to query and process Certificate Transparency data:

Input validation -- reads and validates the domain input, applying defaults for optional parameters.
Query construction -- if includeSubdomains is enabled, prepends %. to the domain to form a wildcard query (e.g., %.example.com).
API request -- sends a GET request to https://crt.sh/?q={query}&output=json with a 120-second timeout via AbortController.
Response parsing -- parses the JSON response into typed CrtShRecord objects containing raw certificate data.
Expired filtering -- if includeExpired is false, removes records where not_after is in the past.
Output branching -- routes to subdomain deduplication mode or certificate record mode based on the deduplicateSubdomains flag.
Subdomain aggregation (dedup mode) -- extracts SANs from each record, normalizes wildcards, and aggregates into a Map keyed by subdomain with first-seen/last-seen/count metadata.
Result formatting -- sorts results by lastSeen descending, applies maxResults limit, and pushes structured output to the Apify dataset.

+------------------+
                    |   Domain Input   |
                    +--------+---------+
                             |
                    +--------v---------+
                    |  Build Query     |
                    |  (%.domain.com)  |
                    +--------+---------+
                             |
                    +--------v---------+
                    |  Fetch crt.sh    |
                    |  JSON API        |
                    +--------+---------+
                             |
                    +--------v---------+
                    |  Filter Expired  |
                    |  (optional)      |
                    +--------+---------+
                             |
                +------------+------------+
                |                         |
     +----------v----------+   +----------v----------+
     |  Subdomain Dedup    |   |  Certificate Mode   |
     |  Mode (default)     |   |  (individual certs)  |
     +----------+----------+   +----------+----------+
                |                         |
     +----------v----------+   +----------v----------+
     |  Aggregate & Sort   |   |  Format & Limit     |
     +----------+----------+   +----------+----------+
                |                         |
                +------------+------------+
                             |
                    +--------v---------+
                    |  Push to Apify   |
                    |  Dataset         |
                    +------------------+

Performance & cost

Metric	Typical Value
Memory usage	256 MB
Run time (small domain, <100 certs)	3--10 seconds
Run time (medium domain, 100--1,000 certs)	10--30 seconds
Run time (large domain, 1,000+ certs)	30--120 seconds
Cost per run (Apify platform)	~$0.001--$0.01
External API cost	Free (no API key required)
Request timeout	120 seconds
Max results per run	5,000
Free tier runs per month	Hundreds (within $5 monthly credit)

Limitations

crt.sh availability -- crt.sh is a free public service maintained by Sectigo. It can be slow or temporarily unavailable during periods of heavy traffic. The actor includes a 120-second timeout but cannot control server-side performance.
Very large domains may time out -- domains with tens of thousands of certificates (e.g., google.com, amazonaws.com) may exceed the timeout. Use a more specific subdomain query in these cases.
CT log coverage -- while crt.sh aggregates the largest collection of CT logs, it may not include every log in existence. Some very recently issued certificates may not yet be indexed.
No private certificate visibility -- Certificate Transparency only covers publicly trusted certificates. Internal/private CA certificates that are not submitted to CT logs will not appear.
Historical data only -- this actor queries what has been logged, not what is currently deployed. A certificate appearing in CT logs does not guarantee it is actively in use on a server.
Rate limiting -- crt.sh does not publish rate limits, but excessive concurrent requests may result in temporary blocks. The actor makes a single request per run.
No certificate chain validation -- the actor reports certificate metadata as logged in CT; it does not verify the certificate chain or check revocation status.

Responsible use

Respect the data source -- crt.sh is a free community resource. Avoid scheduling excessively frequent runs (e.g., every minute) for the same domain, which would place unnecessary load on their servers.
Certificate Transparency is public by design -- all data returned by this actor is publicly available information that Certificate Authorities are required to publish. Querying CT logs is a legitimate and expected use of the system.
Use findings responsibly -- subdomain enumeration data can reveal an organization's infrastructure. If you discover vulnerabilities through CT log analysis, follow responsible disclosure practices.
Comply with applicable laws -- while CT log data is public, how you use derived information (e.g., for security testing) must comply with your local laws and any applicable terms of service.
Do not use for harassment -- CT log data should be used for security research, compliance, and infrastructure management -- not for stalking, harassment, or other harmful purposes.

FAQ

What is Certificate Transparency? Certificate Transparency (CT) is a public framework defined in RFC 6962 that requires Certificate Authorities to publicly log every SSL/TLS certificate they issue. This makes it possible to detect misissued or fraudulent certificates. crt.sh is the largest public aggregator of these CT logs.

What is crt.sh? crt.sh is a free web interface and API maintained by Sectigo (formerly Comodo CA) that indexes Certificate Transparency logs. It is the most widely used public CT log search engine and contains billions of certificate records.

Can I search for any domain? Yes. Certificate Transparency logs are public records. You can search for certificates issued to any domain, whether you own it or not. This is by design -- transparency is the entire purpose of the CT framework.

Why would a domain have thousands of certificates? Large organizations frequently rotate certificates, use separate certificates for different subdomains, and may use multiple Certificate Authorities. Domains using Let's Encrypt with 90-day certificates accumulate records especially quickly.

What is the difference between the two output modes? Subdomain discovery mode (default) aggregates all certificate records into unique subdomains with summary metadata like first-seen date, certificate count, and active status. Certificate record mode returns individual certificates with full details including issuer, serial number, SANs, and validity dates.

What does the isActive field mean? The isActive field indicates whether the latest certificate for a subdomain has not yet expired. A value of true means the most recent certificate's notAfter date is still in the future at the time of the run.

How are wildcard certificates handled? Wildcard entries like *.example.com are normalized to their base domain (example.com) during subdomain deduplication. In certificate record mode, wildcards appear as-is in the subjectAlternativeNames array.

Can I use this to detect phishing domains? Yes. CT log monitoring is a well-established technique for detecting phishing. By searching for certificates containing your brand name (e.g., %yourbank%), you can identify suspicious domains that have obtained SSL certificates to appear legitimate.

Is an API key required? No. The crt.sh database is completely free and public. No external API keys are needed -- you only need your Apify API token to run the actor programmatically.

What happens if crt.sh is slow or down? The actor includes a 120-second timeout. If crt.sh does not respond within that window, the run will fail with a clear error message explaining the timeout. You can simply retry later.

How often should I schedule monitoring runs? For most use cases, daily or weekly runs provide good coverage. New certificates typically appear in CT logs within hours of issuance, so daily monitoring catches most activity promptly.

Can I combine this with other security tools? Absolutely. Export the subdomain list and feed it into DNS resolution (via DNS Record Lookup), WHOIS lookups, port scanning, or vulnerability assessment workflows for a complete security audit pipeline.

Actor	Description
DNS Record Lookup	Resolve DNS records (A, AAAA, MX, CNAME, TXT, NS) for domains discovered through CT logs.
WHOIS Domain Lookup	Look up domain registration and ownership details including registrar, creation date, and nameservers.
CISA KEV Catalog	Search CISA's Known Exploited Vulnerabilities catalog to cross-reference with your infrastructure findings.
NVD CVE Vulnerability Search	Search the National Vulnerability Database for CVEs affecting your discovered services and software.
IP Geolocation Lookup	Look up geographic locations of IP addresses resolved from subdomains found via CT logs.
Censys Internet Host Search	Search internet hosts and services via Censys to complement certificate transparency findings.

Subdomain Finder

automation-lab/subdomain-finder

This actor discovers subdomains by querying certificate transparency logs via crt.sh. It finds all SSL/TLS certificates ever issued for a domain, extracting unique subdomain names. This passive reconnaissance technique requires no direct scanning.

Stas Persiianenko

SSL Certificate Checker

nexgendata/ssl-certificate-checker

Check SSL/TLS certificates for any domain — expiration dates, issuer, protocol versions, and security grade. Monitor certificate health across your infrastructure.

Stephan Corbeil

SSL Certificate Checker

automation-lab/ssl-certificate-checker

SSL Certificate Checker connects to domains over TLS and inspects their SSL certificates. It returns structured data about certificate validity, expiry, issuer chain, TLS protocol version, cipher suite, and a security grade from A+ to F.

Stas Persiianenko

SSL Certificate Checker

rationalistic_counsel/ssl-certificate-checker

J N

SSL Certificate Expiry Monitor

andok/ssl-certificate-monitor

Monitor SSL/TLS certificate validity and expiration dates across thousands of domains to prevent costly outages.

Andok

SSL Certificate Monitor API | Expiry + Issuer Changes

taroyamada/ssl-certificate-monitor

Check SSL/TLS certificates in bulk, detect expiry and issuer changes, and emit alert-ready rows for ops and SEO teams.

太郎山田

SSL Certificate Checker

scrappy_garden/ssl-certificate-checker

Check SSL/TLS certificates for any website: expiration date, issuer, subject, hostname match (SNI), chain/authorization status, and common HTTPS misconfigurations. Useful for SEO audits, security checks, and uptime monitoring.

Bikram Adhikari

Website HTTPS & SSL Health Checker

pillowy_travel/website-https-ssl-health-checker

Checks HTTPS availability and SSL certificate health for given URLs

SAHIL KUMAR

5.0

Bulk SSL Certificate Expiry DNS Monitor

logiover/bulk-ssl-certificate-expiry-dns-monitor

Check SSL certificate validity and expiration (days left, issuer, valid from/to) plus DNS A/MX resolution for thousands of domains. Fast, no browser, export-ready JSON/CSV. Ideal for agencies, SEO audits, DevOps monitoring and compliance.