Certstream is a service that aggregates certificates from Certificate Transparency logs and streams them in real-time. It provides a firehose of newly issued SSL/TLS certificates that developers can filter and process.

What protocols does certstream-server-rust support?

certstream-server-rust supports WebSocket and Server-Sent Events (SSE), and ingests from both RFC 6962 and static-CT-API (checkpoint + tile) logs. This allows integration with browsers, command-line tools, and data pipelines.

How do I connect to the certstream API?

Self-host with Docker, then connect to ws://localhost:8080/ via WebSocket, or use `curl -N http://localhost:8080/sse` for Server-Sent Events. Python users can use the certstream library: certstream.listen_for_events(callback, url='ws://localhost:8080/'). See the Quick Start guide for details.

What can I use the certstream API for?

Common use cases: phishing domain detection, brand monitoring, security research, threat intelligence, certificate inventory, and discovering newly registered domains. The certstream API streams every newly issued SSL/TLS certificate in real-time from Certificate Transparency logs.

Certificate transparency · streamed

Real-time CT log streaming, built in Rust.

Name: certstream-server-rust
Author: reloading01

A drop-in certstream server that aggregates newly issued SSL/TLS certificates from every Chrome- and Apple-trusted Certificate Transparency log and streams them over WebSocket and SSE. RFC 6962 and static-CT-API, in a single binary.

WebSocket·SSE· RFC 6962·static-CT-API· single binary

Get Started View on GitHub

docker run -d -p 8080:8080 ghcr.io/reloading01/certstream-server-rust:latest

What you get

Everything a CT monitor needs, nothing it doesn't.

Built for security teams, researchers, and developers who need reliable Certificate Transparency monitoring.

Multi-protocol streaming

WebSocket and Server-Sent Events. WebSocket for real-time clients, SSE for browsers and pipelines — same data, your choice of transport.

RFC 6962 + static-CT-API

Both the classic get-entries protocol and the new checkpoint + tile static-ct-api logs are watched side by side in one process.

Cross-log deduplication

The same certificate shows up across many logs. A SHA-256 filter collapses duplicates so each client sees a clean, single stream.

State persistence

Resume from the last processed position after a restart. No certificate loss during maintenance or upgrades.

Connection limiting

Per-IP and total connection caps. Production-ready protection against abuse and runaway clients.

Token authentication

Bearer-token access control with constant-time comparison. Multiple tokens, configurable header name.

Hot-reload config

Configuration changes apply without a restart. A file watcher picks up edits for zero-downtime tuning.

Circuit breaker & health

Automatic retry with exponential backoff and per-log circuit breaking. Failing logs are isolated, not allowed to spam.

Metrics & REST API

A Prometheus /metrics endpoint plus an optional REST API for server stats, log health, and certificate lookup.

Performance

Measured, not marketed.

Default config, 100 concurrent WebSocket clients pulling the lite stream, 10-minute plateau window.

~118MiB

Stable RSS · 100 clients

±5MiB

Plateau swing

~13%

CPU · 100 clients

~1K/s

Sustained ingest

Memory settles within roughly five minutes of startup and stays flat — no GC pauses, no growth over time. Every certificate is serialized once and broadcast to all subscribers via an Arc<PreSerializedMessage> with zero-copy text frames; when no clients are connected, serialization is skipped entirely. Reproduce these numbers locally with the scripts in soak/.

Support the project

Built in spare time, kept free.

I build this in my free time. Just using it, starring the repo, or sharing it with someone who needs it already means a lot — that's the kind of thing that keeps me going.

If you'd like to go a step further, you can sponsor me on GitHub. No pressure though — every form of support is appreciated.

Sponsor on GitHub