Cert Spotter API

List certificates

GET https://certspotter.com/api/v0/certs?domain=DOMAIN

The following parameters may be specified in the query string:

domain Return certificates for the given domain and all sub-domains. Also returns matching wildcard certificates. Must be at or below a registered domain. Required.
expired Include expired certificates. true or false. Default: false. This option requires you to authenticate with a paid Cert Spotter plan.
duplicate Include duplicate certificates. true or false. When false, only the most recent (pre-)certificate is returned for any given tbsCertificate. Default: false.

Response: JSON array of certificate objects

Get certificate object

GET https://certspotter.com/api/v0/certs/SHA256

SHA256 is the hex-encoded SHA-256 digest of the (pre-)certificate.

Response: certificate object

Certificate Object

A (pre-)certificate is represented by a JSON object with the following fields:

type string cert or precert
dns_names list of strings DNS identifiers, from both the Subject CN and the DNS SANs
sha256 string The hex-encoded SHA-256 digest of the raw X.509 (pre-)certificate
pubkey_sha256 string The hex-encoded SHA-256 digest of the Subject Public Key Info
issuer string The distinguished name of the certificate's issuer
not_before string The not before date, in RFC3339 format (e.g. 2016-06-16T00:00:00-00:00)
not_after string The not after date, in RFC3339 format (e.g. 2016-06-16T00:00:00-00:00)
logs list of log references A list of Certificate Transparency logs containing this (pre-)certificate
data string The raw X.509 (pre-)certificate, encoded in base64

Log Reference Object

A log reference describes when and where a (pre-)certificate has been logged, and is represented by a JSON object with the following fields:

id string The ID of the Certificate Transparency log, encoded in base64
index number The 0-based index of the (pre-)certificate's entry in the log
timestamp string The time at which the (pre-)certificate was submitted to this log, in RFC3339 format (e.g. 2017-05-04T13:39:21.071-00:00)

Get X.509 certificate (PEM)

GET https://certspotter.com/api/v0/certs/SHA256.pem

SHA256 is the hex-encoded SHA-256 digest of the X.509 (pre-)certificate.

Response: raw X.509 (pre-)certificate, encoded in PEM

Get X.509 certificate (DER)

GET https://certspotter.com/api/v0/certs/SHA256.der

SHA256 is the hex-encoded SHA-256 digest of the X.509 (pre-)certificate.

Response: raw X.509 (pre-)certificate

Authentication

If you have a paid Cert Spotter plan, you can authenticate to the API using one the following methods:

Your API key can be found on your account page.

Examples:

curl -H "Authorization: Bearer 123_sampleapikey" https://certspotter.com/api/v0/certs?...

curl -u 123_sampleapikey: https://certspotter.com/api/v0/certs?...

Unauthenticated access to the API may be subject to rate limits. Some features (indicated above) require authentication.

Start Monitoring with Cert Spotter Today

Better visibility means better uptime and security. Cert Spotter gives you the visibility you need for your certificates.

Click to sign up