- Home
- Skills
- Transilienceai
- Communitytools
- Certificate Transparency
certificate_transparency_skill
- Python
42
GitHub Stars
1
Bundled Files
2 months ago
Catalog Refreshed
4 months ago
First Indexed
Readme & install
Copy the install command, review bundled files from the catalogue, and read any extended description pulled from the listing source.
Installation
Preview and clipboard use veilstrat where the catalogue uses aiagentskills.
npx veilstrat add skill transilienceai/communitytools --skill certificate_transparency- SKILL.md5.0 KB
Overview
This skill queries public Certificate Transparency (CT) logs to find certificates issued for a target domain, extracts Subject Alternative Names (SANs), and surfaces subdomains and internal naming conventions. It helps security researchers, bug bounty hunters, and penetration testers expand asset inventories and identify naming patterns or wildcard certificate usage that may indicate risk.
How this skill works
The skill requests crt.sh JSON results for a wildcard query of the target domain, parses certificate entries, and extracts SANs by splitting the name_value field and deduplicating valid hostnames. It analyzes SAN lists with lightweight regex patterns to detect environment, service, geo, and numbering conventions, and separately flags wildcard certificates and their scope. Results include certificate metadata, unique subdomains, issuer counts, naming patterns, and evidence entries for traceability.
When to use it
- During reconnaissance to discover subdomains not present in DNS or asset inventories
- Before or during a penetration test to prioritize targets by certificate issuance dates or issuers
- When investigating unexpected or internal naming conventions that reveal environment or topology
- To identify wildcard certificate usage that could broaden attack surface
- As part of asset monitoring to detect new certificate issuances for a domain
Best practices
- Respect crt.sh rate limits (max ~10 requests/min); implement caching and exponential backoff
- Validate and filter SAN entries to remove wildcards and non-domain strings before use
- Correlate CT findings with DNS, passive DNS, and other discovery sources to reduce false positives
- Log queries and preserve evidence timestamps for auditability and reporting
- Retry on transient errors (503, timeouts) with increasing timeouts and preserve partial results
Example use cases
- Run a wildcard crt.sh query for example.com to enumerate issued certificates and extract subdomains for scope mapping
- Detect environment prefixes like prod-, dev-, or staging- to infer production vs test assets
- Identify *.example.com wildcard certs and quantify their scope and issuance recency
- Count issuer occurrences (Let’s Encrypt, DigiCert, AWS) to infer hosting or automation practices
- Monitor for new certificate issuances to detect newly provisioned services or possible misconfigurations
FAQ
No. The skill only queries public Certificate Transparency logs and extracts publicly published certificate metadata; it never accesses private keys.
How are wildcard SANs handled?
Wildcard entries are detected and reported separately. The extraction step filters out wildcard names from the unique subdomain list but includes wildcard analysis with scope and counts.