crt.sh Has a Free API — Find Every SSL Certificate for Any Domain

Certificate Transparency logs record every SSL/TLS certificate ever issued. crt.sh gives you free access to search them all — and discover subdomains that even the domain owner forgot about. No API key. No rate limits. Just add ?output=json\ to any query. Why This Matters A bug bounty hunter was testing a company's web application. The main site was hardened. But when they searched crt.sh for the company's certificates, they found 47 subdomains — including staging.company.com\, dev-api.company.com\, and old-admin.company.com\. The staging server had default credentials. Certificate Transparency reveals your entire attack surface. The Simplest API You'll Ever Use \`python import requests def find_subdomains(domain): """Find all subdomains via Certificate Transparency logs.""" response = requests.get( f"https://crt.sh/?q=%25.{domain}&output=json", timeout=30 ) if response.status_code == 200: certs = response.json() # Extract unique subdomains subdomains = set() for cert in certs: nam