certfind

A command-line tool for querying Certificate Transparency (CT) logs, probing live TLS endpoints, checking OCSP revocation status, and detecting expiring certificates.

Prerequisites

• Go 1.24+

Install

# Install directly to your GOPATH/bin (works on macOS, Linux, Windows)
make install

Or build a binary for your current platform:

make build
# Binary is in dist/certfind-<os>-<arch>

Cross-compile for all platforms:

make build-all
# Outputs:
#   dist/certfind-darwin-amd64   (macOS Intel)
#   dist/certfind-darwin-arm64   (macOS Apple Silicon)
#   dist/certfind-linux-amd64
#   dist/certfind-linux-arm64
#   dist/certfind-windows-amd64.exe

Without Make

go install github.com/aff0gat000/certfind/cmd/certfind@latest

Usage

certfind [flags] <domain>

Flags

Flag	Default	Description
--expired	false	Include expired certificates in CT results
--json	false	Output as JSON
--probe	false	Live TLS probe of the main domain
--subdomains	false	Enumerate and probe subdomains from CT logs
--warn-days N	30	Expiry warning threshold in days
--no-ocsp	false	Skip OCSP revocation check during TLS probe
--workers N	10	Concurrency for subdomain probing
--port N	443	TLS port

Examples

# Basic CT log lookup
certfind example.com

# TLS probe with OCSP check
certfind --probe example.com

# Full run: CT logs + TLS probe + subdomain enumeration
certfind --probe --subdomains example.com

# JSON output
certfind --json --probe example.com

# Flag certificates expiring within a year
certfind --warn-days 365 example.com

# Skip OCSP, custom port and concurrency
certfind --probe --subdomains --no-ocsp --port 8443 --workers 20 example.com

Output Sections

In text mode, output is divided into labelled sections:

1. CT Log Results -- certificates found in transparency logs
2. Expiry Warnings -- certificates that are expired or expiring soon
3. TLS Probe -- live connection details, cipher suite, OCSP status (with --probe)
4. Subdomain Probe -- per-subdomain TLS results (with --subdomains)

In JSON mode (--json), all sections are combined into a single JSON object.

Library Usage

The certfind package can be imported and used programmatically:

package main

import (
    "context"
    "fmt"

    "github.com/aff0gat000/certfind"
)

func main() {
    client := certfind.NewClient()
    ctx := context.Background()

    certs, _ := client.FetchCerts(ctx, "example.com", false)
    for _, c := range certs {
        fmt.Println(c.CommonName)
    }

    info, _ := client.ProbeTLS(ctx, "example.com", 443, false)
    fmt.Println(info.Protocol, info.OCSPStatus)
}

Project Structure

certfind.go        Client, options, constants
domain.go          Domain validation, Cert type
ctlog.go           CT log queries with retry
tlsprobe.go        TLS probing and OCSP checks
subdomain.go       Subdomain extraction and concurrent probing
expiry.go          Certificate expiry analysis
cmd/certfind/      CLI entry point

Development

Quick check (format, vet, test)

make ci-quick

Full CI pipeline (format, vet, lint, test, coverage, security scan, build)

make ci

Install CI tools

make tools
# Installs: goimports, golangci-lint, gosec, govulncheck

Individual targets

make fmt        # gofmt + goimports
make vet        # go vet
make lint       # golangci-lint (27 linters)
make test       # go test -race
make coverage   # coverage with 55% threshold
make scan       # gosec + govulncheck + trufflehog
make build      # static binary
make docker     # multi-stage Docker image
make help       # show all targets

Docker

make docker
docker run --rm certfind:latest --help

License

MIT