Certificate Transparency Skill
Purpose
Query Certificate Transparency logs to discover certificates issued for a domain, extract Subject Alternative Names (SANs), and identify internal naming conventions.
Operations
- query_crt_sh_json
Query crt.sh for all certificates matching a domain.
Endpoint:
GET https://crt.sh/?q=%25.{domain}&output=json
Request Headers:
User-Agent: TechStackAgent/1.0 Accept: application/json
Process:
-
URL encode domain with wildcard prefix
-
Make HTTP GET request to crt.sh
-
Parse JSON response array
-
Extract certificate metadata
Response Fields:
{ "issuer_ca_id": 183267, "issuer_name": "C=US, O=Let's Encrypt, CN=R3", "common_name": "example.com", "name_value": "example.com\nwww.example.com\napi.example.com", "id": 1234567890, "entry_timestamp": "2024-01-15T10:30:00.000", "not_before": "2024-01-15T09:00:00", "not_after": "2024-04-15T09:00:00", "serial_number": "abc123..." }
- extract_sans
Parse Subject Alternative Names from certificate data.
Process:
-
Split name_value field by newlines
-
Filter for domain matches
-
Deduplicate entries
-
Validate format (no wildcards in extracted names)
Example:
Input: "example.com\n*.example.com\napi.example.com\nwww.example.com" Output: ["example.com", "api.example.com", "www.example.com"]
- identify_naming_patterns
Analyze SANs to detect internal naming conventions.
Pattern Detection:
patterns = { "environment_prefix": r"^(prod|staging|dev|test|qa|uat)-", "environment_suffix": r"-(prod|staging|dev|test|qa|uat)$", "numbered_instances": r"(\d+)$", "geo_prefix": r"^(us|eu|apac|asia|emea|latam)-", "service_pattern": r"^(api|app|web|cdn|static|assets)-" }
Example Output:
{ "patterns": [ { "type": "environment_prefix", "regex": "^(prod|staging|dev)-", "matches": ["prod-api", "staging-api", "dev-api"] }, { "type": "geo_prefix", "regex": "^(us|eu)-", "matches": ["us-east-api", "eu-west-api"] } ] }
- find_wildcard_certs
Identify wildcard certificate usage.
Process:
-
Filter certificates where common_name starts with "*."
-
Note wildcard scope (*.domain.com vs *.subdomain.domain.com)
-
Flag potential security implications
Wildcard Analysis:
{ "wildcards": [ { "pattern": ".example.com", "scope": "root_domain", "certificates_count": 5, "latest_issue": "2024-01-15" }, { "pattern": ".api.example.com", "scope": "subdomain", "certificates_count": 2, "latest_issue": "2024-01-10" } ] }
Output
{ "skill": "certificate_transparency", "domain": "string", "results": { "certificates": [ { "id": "number", "issuer": "string", "common_name": "string", "sans": ["array"], "not_before": "date", "not_after": "date", "is_wildcard": "boolean" } ], "unique_subdomains": ["array"], "naming_patterns": [ { "type": "string", "pattern": "string", "examples": ["array"] } ], "wildcard_analysis": { "wildcards_found": "number", "patterns": ["array"] }, "issuers": { "issuer_name": "count" } }, "evidence": [ { "type": "ct_certificate", "id": "number", "common_name": "string", "issuer": "string", "timestamp": "ISO-8601" } ], "metadata": { "total_certificates": "number", "unique_subdomains": "number", "query_timestamp": "ISO-8601" } }
Certificate Issuer Analysis
Track which CAs are used (reveals hosting/security practices):
Issuer Pattern Indicates
Let's Encrypt Cost-conscious, automated cert management
DigiCert, Sectigo Enterprise/compliance requirements
AWS Certificate Manager AWS infrastructure
Cloudflare Cloudflare CDN/proxy
Google Trust Services GCP infrastructure
Rate Limiting
-
crt.sh: Max 10 requests/minute
-
Implement exponential backoff on 429 responses
-
Cache results to avoid repeated queries
Error Handling
-
If crt.sh returns 503, wait 30s and retry
-
If timeout, retry with longer timeout (60s)
-
If JSON parse fails, log raw response
-
Continue with partial results if some queries fail
Security Considerations
-
Only query public CT logs
-
Do not attempt to access certificate private keys
-
Log all queries for audit trail
-
Respect crt.sh rate limits