1. Home
  2. Knowledge Base
  3. Public REST API Services
  4. Certificate Transparency Log API

Certificate Transparency Log API

The Certificate Transparency Log API enables proactive monitoring and auditing of SSL/TLS certificates issued for domain names. It helps verify proper issuance, spot misuse, and fortify web security by safeguarding online interactions and maintaining the trustworthiness of digital environments. The Certificate Transparency (CT) Log is a public, append-only ledger of all SSL/TLS certificates issued by trusted Certificate Authorities (CAs). Developed by Google, its primary purpose is to enhance internet security by making the process of certificate issuance transparent and publicly auditable. This transparency allows domain owners and the broader community to monitor and verify certificates, quickly detect any misissued or malicious certificates, and prevent potential security threats like man-in-the-middle attacks.

As a public service, our Certificate Transparency Log Replica hosted at https://crt.edgewatch.net/ provides an independent and readily accessible copy of the CT logs. By offering this replica, we enable organizations, security researchers, and individuals to proactively monitor and audit SSL/TLS certificates related to their domains. This service helps verify proper certificate issuance and swiftly identify any misuse, thereby fortifying web security and maintaining the trustworthiness of digital environments. Our API facilitates efficient querying and retrieval of certificate information, empowering users to safeguard their online interactions.

API Base URL

https://crt.edgewatch.net

Endpoints

GET /certificate

Retrieves issued certificates for a specified domain name.

Request Parameters

  • all_dns_names (string, required): The domain name to search for certificates. Supports exact matches and wildcards (e.g., example.com, *.example.com).
  • page (integer, optional): The page number for paginated results. Default is 1.
  • take (integer, optional): The number of records to return per page. Default is 25.
  • sort_field (string, optional): The field to sort results by. Options include not_before, not_after, etc. Default is not_after.
  • sort_direction (string, optional): The sort order of the results. Options are ASC (ascending) or DESC (descending). Default is DESC.

Sample Request

curl -X 'GET' \
  'https://crt.edgewatch.net/certificate?all_dns_names=example.com&page=1&take=25&sort_field=not_after&sort_direction=DESC' \
  -H 'accept: application/json'

Request URL

https://crt.edgewatch.net/certificate?all_dns_names=example.com&page=1&take=25&sort_field=not_after&sort_direction=DESC

Sample Response

{
  "data": [
    {
      "url": "ct.googleapis.com/daedalus",
      "cert_index": 5155,
      "chain_hash": "2ce55be7107bd0a6f02d4f080b5c5dc74a8395b863c2b88a19be3636a72fb6c0",
      "cert_der": "MIIDADCCAmmgAwIBAgIDBOvLMA0GCSqGSIb3DQEBBQUAME4xCzAJB...",
      "all_dns_names": "*.example.com",
      "not_before": 1081369782,
      "not_after": 1112992182,
      "is_valid": false
    }
  ],
  "count": 100
}

Response Fields

  • data (array): A list of certificate objects.
    • url (string): The Certificate Transparency log URL where the certificate was found.
    • cert_index (integer): The index of the certificate in the log.
    • chain_hash (string): The SHA-256 hash of the certificate chain.
    • cert_der (string): The DER-encoded certificate, Base64 encoded.
    • all_dns_names (string): The DNS names included in the certificate.
    • not_before (integer): The start time of the certificate’s validity period (Unix timestamp).
    • not_after (integer): The end time of the certificate’s validity period (Unix timestamp).
    • is_valid (boolean): Indicates if the certificate is currently valid based on the current date.
  • count (integer): The total number of certificates matching the query.

Usage Example

To retrieve certificates for example.com with default pagination and sorting:

curl -X 'GET' \
  'https://crt.edgewatch.net/certificate?all_dns_names=example.com' \
  -H 'accept: application/json'

Parameters Description

  • Domain Search (all_dns_names): Use exact domain names or wildcards to search for certificates. For example:
    • example.com searches for certificates issued to example.com.
    • *.example.com searches for certificates issued to any subdomain of example.com.
  • Pagination:
    • page: Specify the page number of results you wish to retrieve.
    • take: Define how many records to retrieve per page.
  • Sorting:
    • sort_field: Choose the field by which to sort results.
    • sort_direction: Set the sort order to ascending (ASC) or descending (DESC).

Notes

  • Time Fields: The not_before and not_after fields are provided as Unix timestamps. Convert them to human-readable dates as needed.
  • Certificate Data: The cert_der field contains the certificate data in DER format, encoded in Base64. You can decode and parse this data using appropriate tools or libraries.
  • Validity Check: The is_valid field indicates whether the certificate is currently valid, based on the not_before and not_after timestamps.

Error Handling

If an error occurs, the API will return an HTTP status code appropriate to the error, along with a JSON response containing an error message.

Sample Error Response

{
  "error": "Invalid parameter: all_dns_names is required."
}

Additional Resources

  • Swagger Documentation: Explore the API interactively using the Swagger UI.
  • Contact Support: For questions or support, please contact the API provider through their official channels.

Disclaimer

This API does not require authentication and is accessible publicly. Ensure that you comply with any usage policies or terms of service.

Was this article helpful?
Yes No

Related Articles

Need Support?

Can't find the answer you're looking for?
Contact Support