Certificate Transparency Search Resources

(This post is a wiki, other community members are welcome to edit and improve it. It's quite likely that I've gotten something wrong, or that offerings have changed.)

Certificate Transparency ("CT") is a system that Certification Authorities (CAs) need to log all publicly trusted certificates to. This helps the security community monitor that CAs are following the rules that they're supposed to be following, and allows for domain name owners (as well as anyone else) to see exactly which certificates have been issued for which domain names.

However, the actual CT log interface is more designed around ensuring that the security guarantees of them are being met, and can't easily be searched directly for a specific name. Various services exist which "scrape" through and aggregate the raw CT data, to make it easier to search through. The following table is a collection of existing services that one might find helpful when attempting to look for something in CT logs.


Crt.sh does offer an API. You can connect directly to their postgresql and run your queries.


Thanks. I was sure I was going to mess something up, that's why I made it a wiki. Go ahead and update whatever else I got wrong.


There's also Entrust Certificate Search - Entrust, Inc.. Will add it to the list. -> was already in the code of the table, but not functional due not being on its own line. By the way, they don't offer an API "officially", but if you look at the network traffic, their webinterface simply connects to their own API, which probably can be used by software too.

Should we also make a column "Remarks" or something? E.g., mention that while crt.sh is a great site, it often has performance issues and lags behind?

Ooeeh, just got a new badge "Wiki Editor" after running around here for almost 8 years already :sunglasses:


I could have sworn that I already had Entrust. It was in my personal list, at least. It doesn't look like it's working to me right now, at least, though; I just get an endless spinning wheel when I try to put in a domain name.


You did, it was just on the same line as DigiCert, so it didn't show up in the table. It does now.

I also often had that spinny thingy due to the fact their API (under the hood, not officially announced) wasn't working. E.g. https://ui.ctsearch.entrust.com/api/v1/certificates?fields=issuerCN,subjectO,issuerDN,issuerO,subjectDN,signAlg,san,publicKeyType,publicKeySize,validFrom,validTo,sn,ev,logEntries.logName,subjectCNReversed&domain=letsencrypt.org&includeExpired=false&exactMatch=true&limit=5000&_=1691781641911. But it's working now! For me at least.


I like Cloudflare because they have e-mail notifications when a certificate is issued for any of your domains

it's always fun when I renew my big certificates and see this


IMHO, this feature has tended to create more problems than it tried to avoid. While it is AMAZING in principle, it has been terrible in execution in the past. (I haven't seen one of these emails recently. Hopefully they have been changed.)

On initial release and for a long period of time afterwards (possibly still now), CloudFlare failed to disclose on those "ALERTS!" that Cloudflare itself had procured the certificates for their client. Many people would freak out, believing there to be an exploit, because they did not order the certificate. As part of their uptime strategy and contingency plans, Cloudflare orders multiple certificates for each domain. The backup certificates often include internally coded domains that belong to Cloudflare (but do not look like it), and sometimes include domains belonging to other subscribers.

If you know about this stuff beforehand, or if the emails made it clear, that Cloudflare product would be great.


Agreed. I cannot see voluntarily subjecting myself to such noise. If it had a service similar to DMARC report aggregation, it might be valuable.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.