Your Security and Uptime Depend on SSL Certificates. Do You Have Visibility?

The Cert Spotter API makes it easy to find the SSL certificates for a domain, using Certificate Transparency logs.

Get An API Key

Free for 1,000 queries / hour

Receive Early Warning of Security and Uptime Problems

  • Stop outages before they happen, by finding certificates that are about to expire.
  • Avoid losing website visitors due to browser warnings, by discovering certificates that are using out-of-date algorithms or distrusted certificate authorities.
  • Strengthen the security and reliability of your infrastructure, by detecting certificates that were issued by “shadow IT” instead of your official IT process.
  • Stop reputational damage from sub-domain takeover, by detecting certificates issued to sub-domains that were supposed to be decommissioned.
  • Prevent data theft from misissued certificates, by detecting certificates issued by compromised certificate authorities to attackers wanting to impersonate you.

Powered by Certificate Transparency, Easy to Use

Cert Spotter ingests hundreds of millions of certificates from over 40 Certificate Transparency logs, and indexes them by domain name. You can retrieve certificates by domain name using a simple JSON API.

Using the Cert Spotter API is easier than accessing Certificate Transparency logs directly:

Access Certificate Transparency logs directly:

  • You need to look for certificates in all 40+ known logs.
  • You need to update your log list when logs are created and destroyed, which happens several times a year.
  • You have to scan the entire contents of each log (over 2 billion entries, or 3TB, in total) just to find the certificates you want.
  • You have to deduplicate certificates that are found in multiple logs.
  • You have to deduplicate certificates and their equivalent precertificates.
  • You have to understand and parse Merkle Tree Leaves to get certificate data.
  • You should gossip Merkle Tree Heads with browser operators to ensure you have the same view of the log.

Use Cert Spotter API:

  • You make an API call to Cert Spotter with a domain name.
  • Cert Spotter returns certificates for that domain.

Features

  • Indexed by domain name: A simple HTTP request returns all known publicly-trusted certificates for a domain name. You can optionally request certificates for sub-domains as well, giving you a picture of an entire domain namespace.
  • Incremental monitoring: You can remember your position in the response, and query for all certificates added to Certificate Transparency since your last query. You don't have to re-download and re-process certificates you've already seen.
  • Deduplicates certificates and precertificates: When a certificate is issued, it can appear in multiple Certificate Transparency logs, in the form of a regular certificate, a precertificate, or both. The Cert Spotter API returns a single entry for each distinct issuance so you don't have to deduplicate redundant information yourself.
  • Reliable access to certificates: The Cert Spotter API reliably returns all known, unexpired certificates for a domain name, including those that were added to Certificate Transparency before you started monitoring but are not yet expired. It's not a “firehose” that drops certificates if you aren't drinking from it.

Pricing

Free for up to 1,000 queries per hour. See pricing

Get Started

You can make a limited number of API queries per hour without an account, for personal or evaluation purposes. When you're ready to launch in production, sign up for an account, which is free for up to 1,000 queries an hour.

See the API documentation