DEV Community

Alex Spinov
Alex Spinov

Posted on

crt.sh Has a Free API — Find Every SSL Certificate for Any Domain

#python #api #security #tutorial

The Story

During a security assessment, I needed to find all subdomains of a target company. DNS brute-forcing is slow and noisy. Then a pentester friend told me: just check crt.sh — it has every SSL certificate ever issued.

He was right. And it has a free API with no rate limits.

What Is crt.sh?

crt.sh is a Certificate Transparency log search engine run by Sectigo. Every time a CA issues an SSL certificate, it gets logged publicly. crt.sh indexes all of these logs.

This means you can find every subdomain that has ever had an SSL certificate.

The API 

# Find all certificates for a domain
curl -s "https://crt.sh/?q=%.example.com&output=json" | jq length
Enter fullscreen mode Exit fullscreen mode

Practical Example: Subdomain Discovery 

import requests

def find_subdomains(domain):
    r = requests.get(
        f"https://crt.sh/?q=%.{domain}&output=json",
        timeout=30
    )
    if r.status_code != 200:
        return []

    subdomains = set()
    for cert in r.json():
        name = cert.get("name_value", "")
        for line in name.split("\n"):
            line = line.strip().lower()
            if line.endswith(f".{domain}") or line == domain:
                subdomains.add(line)

    return sorted(subdomains)

subs = find_subdomains("github.com")
print(f"Found {len(subs)} subdomains")
for s in subs[:20]:
    print(f"  {s}")
Enter fullscreen mode Exit fullscreen mode

Typical output for a large company: 50-500+ unique subdomains.

Use Cases

1. Bug Bounty Recon

Find attack surface that the company forgot about — look for staging, dev, internal, admin subdomains.

2. Competitive Intelligence

Discover what services a competitor is building — new subdomains = new products.

3. Brand Monitoring

Detect phishing domains using your brand name — any certificate with your brand that you do not own = suspicious.

No Rate Limits

crt.sh has no official rate limits. Large queries can take 10-30 seconds. Be nice — add delays between requests.

The Security Recon Stack

Tool What It Finds
crt.sh Subdomains via certificates
Shodan Open ports and services
SecurityTrails DNS history
GreyNoise Internet scanners
AbuseIPDB IP reputation

More free security APIs: Free Security APIs

Do you use Certificate Transparency for recon? What other OSINT tools are in your toolkit? Drop your favorites in the comments!

Follow me for daily free API discoveries and security tools.

Top comments (0)