GitHub

Certstream server in Rust for real-time CT log streaming

Drop-in replacement for certstream-server and certstream-server-go. Stream certificates via WebSocket and SSE. Monitor 80+ Certificate Transparency logs with static-CT-API v1.0.0-rc.1 + RFC6962 support.

~118 MiB RSS, 100 WS clients
±5 MiB Plateau swing
~1K/s Sustained ingest
13% CPU (100 clients)
Get Started View on GitHub
docker run -d -p 8080:8080 ghcr.io/reloading01/certstream-server-rust:latest

What you get

Built for security teams, researchers, and developers who need reliable CT monitoring

Multi-protocol streaming

WebSocket and SSE (Server-Sent Events). Pick the protocol that fits your stack. WebSocket for real-time clients, SSE for browsers and pipelines.

State persistence

Resume from last position after restart. No certificate loss during maintenance or updates. Configurable state file.

Connection limiting

Per-IP and total connection limits. Production-ready protection against abuse.

Token authentication

Bearer token based auth for API access control. Multiple tokens supported. Configurable header name.

Hot reload config

Config changes apply without restart. File watcher detects updates. Zero-downtime configuration.

CT log health

Automatic retry with exponential backoff. Circuit breaker for unhealthy logs. Configurable health thresholds.

Prometheus metrics

Built-in /metrics endpoint. Connection counts per protocol, message throughput, CT log health.

Performance

Parallel containers on the same Docker host, default config, 100 concurrent WebSocket clients, 10-minute plateau window (v1.5.0)

Rust (1.5.0)
Go (0rickyy0)
Memory — idle (no clients)
113–118 MiB
n/a (measured under load)
Memory — avg, 100 clients
117 MiB
~100 MiB
Memory — peak, 100 clients
118 MiB
161 MiB
Plateau swing
±5 MiB
±66 MiB
CPU — avg, 100 clients
13 %
38 %
Static-CT-API v1.0.0-rc.1
Yes (checkpoint + tile + leaf_index)
No (RFC6962 only)

Rust uses ~3× less CPU than Go at the same load and a much tighter memory plateau (no GC pressure). Go's average steady RSS is closer than older benchmarks suggested; the dramatic v1.3-era gap has narrowed as the Go fork matured. The Elixir comparison was dropped — calidog/certstream-server doesn't publish a recent image, so any number we cited would be from an unverifiable reference. Reproduce these numbers locally with the scripts in soak/.

Support the project

I build this in my free time. Just using it, starring the repo, or sharing it with someone who needs it already means a lot — that's the kind of thing that keeps me going.

If you'd like to go a step further, you can sponsor me on GitHub. No pressure though — every form of support is appreciated.

Sponsor on GitHub