Investigator Use
CertGraph Crawler is an open-source Go tool available on GitHub that enumerates subdomains and related domains by crawling SSL/TLS certificate transparency logs. It maps the certificate relationships between domains, revealing subdomains, affiliated infrastructure, and historically issued certificates that might not be discoverable through DNS enumeration alone.
For OSINT investigators conducting infrastructure reconnaissance, CertGraph provides a distinct data source from traditional DNS brute-forcing. Certificate transparency (CT) logs record every publicly trusted SSL/TLS certificate issued by certificate authorities, and each certificate contains the domain names it was issued for. CertGraph crawls these logs to extract and map all certificates associated with a target domain.
The certificate graph perspective reveals organizational relationships between domains that share certificates or certificate characteristics. When a threat actor or corporate entity uses the same certificate for multiple domains, CertGraph's graph visualization exposes these connections — revealing affiliated infrastructure that would not be visible through standard DNS or WHOIS analysis.
Historical certificate records are particularly valuable. CT logs maintain records of all previously issued certificates, including those for domains that no longer exist or have changed ownership. Investigating the certificate history of a target domain can reveal previously used subdomains, infrastructure that has been decommissioned, and the evolution of an organization's web infrastructure over time.
For brand protection and phishing investigations, CertGraph can identify domains that have obtained certificates closely resembling a protected brand's domain — a common pre-attack step for phishing infrastructure. Certificate issuance for lookalike domains often precedes the activation of the phishing site.
CertGraph outputs a graph data structure that can be imported into visualization tools (Gephi, Maltego) for analysis of complex infrastructure relationships. The graph perspective is especially useful when investigating organizations with large, interconnected domain portfolios.
Installation requires Go. Run against target domains with appropriate authorization. For investigative documentation, record the target domain, CT log sources queried, certificate data extracted, and any affiliated domains discovered.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
ARIN
Domain OSINT
ARIN is a nonprofit, member-based organization that administers IP addresses & ASNs in support of the operation and growth of the Internet.
Central Ops
Domain OSINT
Free online network tools, including traceroute, nslookup, dig, whois, ping, and our own Domain Dossier and Email Dossier. Works with IPv6.
DNS History
Domain OSINT
DNS History archives historical DNS records, letting investigators track IP changes, hosting migrations, and infrastructure pivots over time.
DNS twister
Domain OSINT
DNS Twister generates and monitors domain permutations for typosquatting detection, brand protection, and phishing infrastructure discovery.
Domain Tools
Domain OSINT
DomainTools provides WHOIS lookup, IP history, domain ownership records, and reverse WHOIS for domain and infrastructure investigation.
Domainiq
Domain OSINT
DomainIQ provides WHOIS research, domain name investigation, brand protection tools, and cybercrime attribution resources.