certgrep Guide
Searching Certificate Transparency Logs
Section titled “Searching Certificate Transparency Logs”certgrep is a Certificate Transparency (CT) log search tool built by Have I Been Squatted. Use it to discover newly-issued certificates, detect brand impersonation, and investigate suspicious domains.
Quick Start
Section titled “Quick Start”- Visit certgrep.sh
- Select a search mode (Regex, Wildcard, Contains, Starts With, or Ends With)
- Enter your pattern and click Search
Search Modes
Section titled “Search Modes”certgrep supports five search modes, each optimized for different use cases:
| Mode | Description | Example | Use Case |
|---|---|---|---|
| Regex | Full regular expression matching | paypal-.* | Complex pattern matching |
| Wildcard | Prefix wildcard matching | *.example.com | Subdomain discovery |
| Contains | Substring match anywhere | paypal | Broad brand monitoring |
| Starts With | Prefix match | secure- | Common phishing prefix detection |
| Ends With | Suffix match | .bank | TLD-specific searches |
Regex Examples
Section titled “Regex Examples”Regex mode provides the most flexibility. Here are common patterns:
# Match any domain starting with "paypal-"paypal-.*
# Match common phishing suffixes.*-login\.com.*-secure\.com.*-support\.com# Internal subdomainsinternal\..*staging\..*dev\..*
# VPN and admin portalsvpn\..*admin\..*# Free/suspicious TLDs often used in phishing.*\.tk.*\.gq.*\.ml.*\.cf.*\.xyzUnderstanding Results
Section titled “Understanding Results”Search results display a table with the following columns:
The matched domain name. If the domain is part of a registrable domain (e.g., login.example.com under example.com), the registrable domain appears below.
Occurrences
Section titled “Occurrences”The number of times this domain has been observed in CT logs. Click the count to view the full timeline of certificate occurrences.
Last Seen
Section titled “Last Seen”Timestamp of the most recent certificate observation for this domain.
Precertificates
Section titled “Precertificates”Some results display a Pre-cert badge. This indicates the match comes from a precertificate only (no final X.509 certificate has been observed yet).
Certificate Details
Section titled “Certificate Details”After the initial search, certificate details are loaded for each result:
- Subject: The certificate’s Subject Distinguished Name (DN), parsed into fields like CN (Common Name), O (Organization), etc.
- Issuer: The issuing Certificate Authority’s Distinguished Name
- SANs: Subject Alternative Names—all domains covered by the certificate
Filtering Results
Section titled “Filtering Results”Use the Filter button to narrow results by column value:
| Column | Filterable Fields |
|---|---|
| Name | Domain name or registrable domain |
| Subject | Any DN field, or specific: CN, O, OU, C, ST, L |
| Issuer | Any DN field, or specific: CN, O, OU, C, ST, L |
| SANs | Any SAN entry |
DN Sub-field Filtering
Section titled “DN Sub-field Filtering”When filtering Subject or Issuer columns, you can target specific Distinguished Name fields:
- CN – Common Name
- O – Organization
- OU – Organizational Unit
- C – Country
- ST – State/Province
- L – Locality/City
Precertificate Toggle
Section titled “Precertificate Toggle”Use the Pre-certs toggle in the filter panel to include or exclude pre-certificate-only matches. Disabling this can reduce noise when focusing on issued certificates.
Viewing Certificate Details
Section titled “Viewing Certificate Details”Click the Occurrences count to open the detail dialog. This displays:
Timeline View
Section titled “Timeline View”All certificate observations for the domain, sorted by most recent first. Each entry shows:
- Timestamp: When the certificate was logged
- Log ID: The CT log identifier
- Latest badge: Marks the most recent observation
Certificate Information
Section titled “Certificate Information”For each occurrence:
- Subject & Issuer: Full Distinguished Names, parsed and formatted
- Validity: Not Before and Not After dates
- Identifiers: Serial number and SHA-256 fingerprint
- SANs: All Subject Alternative Names (up to 20 displayed, with count for additional)
Copy Options
Section titled “Copy Options”Use the Copy as dropdown to export occurrence data:
Human-readable text format:
Domain: login.example.comOccurrences: 3
2024-12-20T10:30:00.000Z log_id=42 index=12345 kind=1 subject_dn: CN=login.example.com issuer_dn: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US not_before: 2024-12-20T00:00:00.000Z not_after: 2025-03-20T00:00:00.000Z serial: 03:a1:b2:c3:... san_dns: login.example.com, www.example.comTabular format for spreadsheet analysis:
name,ts_sec,log_id,index,kind,subject_dn,issuer_dn,not_before,not_after,serial,fingerprint_sha256,san_dns_count,san_dnslogin.example.com,1734693000,42,12345,1,"CN=login.example.com","CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US",1734652800,1742428800,03:a1:b2:c3:...,abc123...,2,"login.example.com; www.example.com"Structured format for programmatic use:
{ "name": "login.example.com", "occurrences": [ { "log_id": 42, "kind": 1, "ts_sec": 1734693000, "index": 12345, "cert": { "subject_dn": "CN=login.example.com", "issuer_dn": "CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US", "not_before": 1734652800, "not_after": 1742428800, "san_dns": ["login.example.com", "www.example.com"] } } ]}Exporting Results
Section titled “Exporting Results”Export the full results table using the Export dropdown:
CSV Export
Section titled “CSV Export”Includes: name, registrable domain, occurrences, last seen, subject, issuer, and SANs (semicolon-separated).
JSON Export
Section titled “JSON Export”Full structured data including all certificate fields and metadata.
Column Visibility
Section titled “Column Visibility”Click the Columns button to toggle which columns are displayed. This is useful for focusing on specific data points or reducing visual clutter on smaller screens.
Integration with Have I Been Squatted
Section titled “Integration with Have I Been Squatted”Each result row includes an Analyze button (magnifying glass icon) that opens the domain in Have I Been Squatted for deeper investigation:
- Typosquatting permutation analysis
- WHOIS/RDAP registration data
- Passive DNS history
- Phishing classification
Best Practices
Section titled “Best Practices”Brand Monitoring
Section titled “Brand Monitoring”- Use regex patterns like
yourbrand-.*and.*-yourbrand.*to catch impersonation attempts - Monitor common phishing suffixes:
-login,-secure,-support,-verify
Threat Hunting
Section titled “Threat Hunting”- Search for suspicious TLDs (
.tk,.ml,.cf,.gq) combined with brand terms - Look for certificate bursts—many certs issued in a short window can indicate campaign preparation
Infrastructure Discovery
Section titled “Infrastructure Discovery”- Use wildcard searches to enumerate subdomains:
*.target.com - Filter by Issuer to identify which CAs are being used
Reducing Noise
Section titled “Reducing Noise”- Disable pre-certificates if you only care about issued certs
- Use Subject/Issuer filters to exclude known-good CAs like internal PKI