certificate_transparency_skill

This skill queries Certificate Transparency logs to discover SANs, infer subdomain patterns, and surface potential internal naming conventions for security
  • Python

42

GitHub Stars

1

Bundled Files

2 months ago

Catalog Refreshed

4 months ago

First Indexed

Readme & install

Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.

Installation

Preview and clipboard use veilstrat where the catalogue uses aiagentskills.

npx veilstrat add skill transilienceai/communitytools --skill certificate_transparency

  • SKILL.md5.0 KB

Overview

This skill queries public Certificate Transparency (CT) logs to find certificates issued for a target domain, extracts Subject Alternative Names (SANs), and surfaces subdomains and internal naming conventions. It helps security researchers, bug bounty hunters, and penetration testers expand asset inventories and identify naming patterns or wildcard certificate usage that may indicate risk.

How this skill works

The skill requests crt.sh JSON results for a wildcard query of the target domain, parses certificate entries, and extracts SANs by splitting the name_value field and deduplicating valid hostnames. It analyzes SAN lists with lightweight regex patterns to detect environment, service, geo, and numbering conventions, and separately flags wildcard certificates and their scope. Results include certificate metadata, unique subdomains, issuer counts, naming patterns, and evidence entries for traceability.

When to use it

  • During reconnaissance to discover subdomains not present in DNS or asset inventories
  • Before or during a penetration test to prioritize targets by certificate issuance dates or issuers
  • When investigating unexpected or internal naming conventions that reveal environment or topology
  • To identify wildcard certificate usage that could broaden attack surface
  • As part of asset monitoring to detect new certificate issuances for a domain

Best practices

  • Respect crt.sh rate limits (max ~10 requests/min); implement caching and exponential backoff
  • Validate and filter SAN entries to remove wildcards and non-domain strings before use
  • Correlate CT findings with DNS, passive DNS, and other discovery sources to reduce false positives
  • Log queries and preserve evidence timestamps for auditability and reporting
  • Retry on transient errors (503, timeouts) with increasing timeouts and preserve partial results

Example use cases

  • Run a wildcard crt.sh query for example.com to enumerate issued certificates and extract subdomains for scope mapping
  • Detect environment prefixes like prod-, dev-, or staging- to infer production vs test assets
  • Identify *.example.com wildcard certs and quantify their scope and issuance recency
  • Count issuer occurrences (Let’s Encrypt, DigiCert, AWS) to infer hosting or automation practices
  • Monitor for new certificate issuances to detect newly provisioned services or possible misconfigurations

FAQ

No. The skill only queries public Certificate Transparency logs and extracts publicly published certificate metadata; it never accesses private keys.

How are wildcard SANs handled?

Wildcard entries are detected and reported separately. The extraction step filters out wildcard names from the unique subdomain list but includes wildcard analysis with scope and counts.

Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational
certificate_transparency skill by transilienceai/communitytools | VeilStrat