API to retrieve known SSL certificates

dash-crypto
#1

Is there, or could there be, an API to retrieve all currently valid SSL certificates issued through Universal SSL for a customer’s domain?

The idea would be to get a list of known-legitimate certificates which the domain owner could then compare against the Certificate Transparency logs to detect any mismatches.

#2

These would probably be the best place to start:

https://api.cloudflare.com/#analyze-certificate-analyze-certificate
https://api.cloudflare.com/#certificate-packs-list-certificate-packs

I’m not sure there’s an endpoint that will give historic issuances which may still be valid though.

2 Likes
#3

Thanks! That looks promising. I’d prefer a serial number or fingerprint that could be matched uniquely against the CT logs, but I guess I could match them up based on the SNI and notbefore/notafter dates or something :slight_smile: