How to use crt.sh (search for TLS server certificates)

I would like to search for server certificates that have been issued in the past for a website, but how can I find out what they are?

Objective

A crt.sh is a site where you can search for a server certificate issued by a trusted certificate authority. It is operated by Sectigo.

When searching, search by crt.sh (Certificate Search).
You can find the browser-trusted CA certificate here.

Basic search methods

1. Access the crt.sh.
To search for an issued certificate, enter the CN of the subject DN (DN: Distinguished Name) and click “Search” to search.

crt.sh トップ画面

Advanced search methods

1. Access “crt.sh” and click “Advanced…”.

crt.sh トップ画面

2. If you want to search by advanced conditions, click “Advanced…” on the above screen. The screen after clicking “Advanced…” is as follows.

crt.sh Advanced画面

3. Detailed search method
Describes some items.

CERTIFICATE

Select search type:Usage
crt sh IDIn crt.sh, all certificates are given a crt sh ID, so if you know the number, you can search for it. Example: “6770577750”
Serial NumberYou can search by serial number. You can enter hexadecimal colon-separated serial numbers as they are.
Subject Key IdentifierSearch by subject key identifier.

IDENTITY

Select search type:Usage
commonName(Subject)Search by commonName.
Example: “world-tls.com”
organizationalUnitName(Subject)Search by organizationalUnitName.
organizationalName(Subject)Search by organizationalName. Only OV/EV certificates are eligible. Example: “SECOM Trust Systems CO., LTD”
dNSName(SAN)Search in dNSName.
Example: “world-tls.com”

CA

Select search type:Usage
IDSearch by CA ID, assigned in the crt.sh.
NameSearch by CA name. Example: “%SECOM Passport for Web EV 2.0 CA%”
crt.sh CA検索

4. When the search results are displayed,
select the subject DN of the certificate authority displayed in “CAs”.

crt.sh CAs
crt.sh CAs

5. Certificate authority information is displayed.

The project namecontent
Issued CertificatesYou can check the number of certificates issued.
UnexpiredThe number of valid certificates.
ExpiredThe number of expired certificates.
CertificatesThe certificate authority sends a pre-certificate to the CT Log Server to obtain the SCT from the CT Log Server, but the certificate that obtains the SCT and the SCT is embedded. In the Summary item of the certificate display screen, Leaf certificate is displayed. See RFC6962.
PrecertificatesA certificate that a certificate authority sends to the CT Log Server to obtain an SCT from the CT Log Server. A certificate without an embedded SCT, also called a pre-certificate. See RFC6962.
Enter search term:If you enter %, it becomes a condition that all certificates can be displayed.
Search options「Exclude expired certificates?」 If checked, only valid certificates can be displayed.
SearchStart a search.

6. Screen for listing certificates. If it is “%”, it will be a total search.

crt.sh 全検索

Screen that filters dNSName by %www.secomtrust.net%.

crt.sh 絞り込み
crt.sh 絞り込み

7.crt.sh The screen where you clicked on the ID.

crt.sh CA証明書詳細

Revocation

The project namecontent
OCSP CheckView the response results from the OCSP responder.

Certificate Fingerprints

The project namecontent
SHA-256Certificate display in Censys (separate site).

Certificate

The project namecontent
Run cablintInspect compliance with Baseline Requirements.
Run x509lintTested for X.509 compliance.
Run zlintInspection with a certificate checking tool created by The ZMap team.
CertificateCertificate download.
Serial NumberSearched for the same serial number. If both Leaf certificate and Precertificate are registered, two sheets are displayed.
IssuerView the issuer (certificate authority) of this certificate.
タイトルとURLをコピーしました