Certificate Transparency
search engine.

Indexing 3,558,402,234 certificates across 4,021 segments live

Try: ···

Complementary to crt.sh — faster lookups, broader scale

CT Radar is built to sit alongside crt.sh, not to replace it. We optimize for the queries you run every day; crt.sh remains the reference for deep historical lookups across the full corpus.

  • Sub-second domain search across 1B+ certificates from Argon, Nimbus, and more — fast enough to drop into a recon pipeline.
  • crt.sh remains best for deep historical lookups and edge-case CAs we don't yet ingest. We link to it on every result so you can pivot in one click.
  • Use both — CT Radar for the hot path (CLI, API, monitoring), crt.sh as the reference oracle when you need to be sure something is authoritatively logged.

A fast Certificate Transparency search engine built for recon

CT Radar is a Certificate Transparency search engine built for security engineers, bug-bounty hunters, and OSINT investigators who need fast, programmatic access to every TLS certificate ever issued. It indexes 19 active CT logs from Google, Cloudflare, DigiCert, Sectigo, and TrustAsia in real time — roughly 1.5 billion certificates and counting — and serves searches in under a second from a custom Rust LSM-tree backend.

Alongside crt.sh, CT Radar exposes a clean REST API, JSON / NDJSON CLI output that pipes directly into httpx, nuclei, subfinder, and jq, and a generous free tier sized for automated recon workflows. crt.sh covers a deeper historical archive and edge-case CAs — every result row links straight to it.

The most common use case is passive subdomain enumeration: every TLS certificate's Subject Alternative Names (SANs) are publicly logged, so searching CT for a target domain reveals every subdomain that has ever had a certificate — staging hosts, internal admin panels, dev environments, and shadow IT that DNS scanning misses entirely. CT Radar also tracks phishing and typosquats in real time: add a domain to your watchlist and get an alert when any new certificate is issued for it.

CT Radar still surfaces certificates issued by Let's Encrypt even after LE retired its own Oak logs in 2025 — every LE certificate is co-logged to at least two non-LE operators' logs, all of which CT Radar indexes.

Pipes into your existing workflow

recon — httpx
# discover subdomains → probe live hosts
$ ct-radar target.com | httpx -silent
https://api.target.com [200]
https://staging.target.com [403]
https://admin.target.com [401]
https://dev-internal.target.com [200]
recon — nuclei
# discover → probe → scan in one pipeline
$ ct-radar target.com | httpx -silent | nuclei -t exposures/
[exposed-panels] https://admin.target.com
[git-config] https://dev-internal.target.com
recon — api
# direct API access with your key
$ curl -s -H "X-API-Key: $KEY" \
"https://cert.imfht.com/api/search?q=target.com" | jq '.results[].domain'
recon — subfinder combo
# merge with subfinder for max coverage
$ { ct-radar target.com; subfinder -d target.com; } | sort -u
api.target.com
cdn.target.com
dev-internal.target.com
mail.target.com
... 847 unique subdomains
Works withhttpxnucleisubfindernaabukatanajq— or any tool that reads stdin

Frequently asked questions

What is Certificate Transparency?

Certificate Transparency (CT) is an open framework, originally proposed by Google in RFC 6962, that requires every public Certificate Authority to log every TLS certificate they issue to public, append-only logs. Browsers like Chrome and Safari refuse to trust certificates that aren't logged. The result: a complete public ledger of every HTTPS certificate ever issued — which CT Radar indexes and makes searchable.

How is CT Radar different from crt.sh?

crt.sh is the de-facto standard but is famously slow, frequently times out on large queries, has a strict 5 req/min rate limit, and offers no official API. CT Radar provides sub-second LSM-tree backed search, a clean REST API, generous free quotas, and CLI tools that pipe directly into recon workflows (httpx, nuclei, subfinder).

Can I find all subdomains of a domain using Certificate Transparency?

Yes. Every TLS certificate's Subject Alternative Names (SANs) are publicly logged, so searching CT logs for a base domain reveals historical subdomains — including staging, internal, and previously-existed hosts that no longer resolve in DNS. This is the most reliable passive subdomain enumeration technique. Use ct-radar example.com to dump them.

Which CT logs does CT Radar index?

CT Radar continuously syncs 19 active CT logs across 5 operators: Google Argon (US) and Xenon (EU), Cloudflare Nimbus, DigiCert Wyvern and Sphinx, Sectigo Elephant, and TrustAsia. Total index size is approximately 1.5 billion certificates and growing. Note that Let's Encrypt retired its Oak logs in 2025 — LE-issued certificates are still visible because they are co-logged to other operators' logs.

Is there a CT Radar API?

Yes. The REST API is documented and accessible with a free API key. Endpoint pattern: GET /api/search?q=<domain>. Pipe-friendly newline-delimited output is available via the ct-radar CLI for shell pipelines. Free tier covers most recon use; Pro and Enterprise tiers lift quotas.

Does CT Radar monitor domains for new certificates in real time?

Yes. Add a domain to your watchlist after signing in and CT Radar will alert you whenever a new certificate is issued for the domain or any subdomain. Useful for detecting unauthorized issuance, phishing, typosquats, and shadow IT.

How fresh is the data?

Active CT logs are polled continuously — new certificates typically appear in CT Radar within 60 seconds of being submitted to a log. Historical backfill of older logs (Argon 2023, Argon 2024) is ongoing.

Can I use CT Radar data commercially?

The underlying CT log data is public-domain (CC0) by design. CT Radar's API access tiers govern request volume, not data licensing. Bulk export and commercial integrations are supported on the Enterprise tier.

CT Radar — open data, fast queries, real-time CT log indexing.