Packages and Binaries:


This package contains a tool to crawl the graph of certificate Alternate Names. CertGraph crawls SSL certificates creating a directed graph where each domain is a node and the certificate alternative names for that domain’s certificate are the edges to other domain nodes. New domains are printed as they are found. In Detailed mode upon completion the Graph’s adjacency list is printed.

Crawling defaults to collecting certificate by connecting over TCP, however there are multiple drivers that can search Certificate Transparency logs.

This tool was designed to be used for host name enumeration via SSL certificates, but it can also show you a “chain” of trust between domains and the certificates that re-used between them.

Installed size: 6.37 MB
How to install: sudo apt install certgraph

  • libc6
root@kali:~# certgraph -h
Usage of certgraph: [OPTION]... HOST...
    	include certificates from CDNs
    	include expired certificates in certificate transparency search
    	include sub-domains in certificate transparency search
  -depth uint
    	maximum BFS depth to go (default 5)
    	print details about the domains crawled
    	check for DNS records to determine if domain is registered
  -driver string
    	driver to use [crtsh, google, http, smtp] (default "http")
    	print the graph as json, can be used for graph in web UI
  -parallel uint
    	number of certificates to retrieve in parallel (default 10)
  -sanscap int
    	maximum number of uniq TLD+1 domains in certificate to include, 0 has no limit (default 80)
  -save string
    	save certs to folder in PEM format
  -timeout uint
    	tcp timeout in seconds (default 10)
    	for every domain found, add tldPlus1 of the domain's parent
    	Update the default Public Suffix List
    	verbose logging
    	print version and exit

Updated on: 2022-Dec-08