Historical SSL/TLS at 20B+ records.
Historical SSL/TLS certificate data across domains and IP addresses. 20B+ records sourced from certificate transparency logs and active TLS scanning.
Multi-snapshot certificate state, at internet scale.
The Historical SSL Records Feed is the bulk version of the SSL Lookup API. The API answers single-target queries; the feed delivers the full historical corpus for analytical workloads, certificate-chain clustering, and offline pivot graphs.
Each record is one observed certificate at one point in time. The corpus exceeds 20B records across CT-log monitoring of all major operators, active TLS scanning of registered apex domains and discovered subdomains, and Deepinfo's own continuous discovery pipeline. Coverage includes the full chain, validity dates, subject and issuer details, SANs, and fingerprint identifiers.
Use this feed for SAN-graph clustering of brand-impersonation infrastructure, issuer-distribution analysis at scale, expiry-and-renewal tracking across vendor portfolios, or any research workflow that benefits from offline indexing of the full SSL observation history.
Historical bulk export, delivered on demand.
Available as a one-time bulk export or as periodic refreshes against the latest cumulative snapshot. Authenticate with an API token scoped to the feed.
Delivery
Historical bulk export. Single API call returns metadata plus a signed download_url. S3 and SFTP for large transfers.
Format
JSON or CSV. Partitioned by issuer and observation year for efficient downstream processing.
Refresh cadence
On-demand bulk export; periodic refresh available.
Authentication
API token in the request header. Per-feed scoping. Reference at docs.deepinfo.com.
What you actually get.
The API response, with the metadata for the latest cumulative snapshot:
{
"download_url": "https://feeds.deepinfo.com/historical-ssl/2026-05-02/historical-ssl.json.gz?...",
"file_format": "json",
"file_size": 412384719834,
"file_update_time": "2026-05-02T03:14:27Z",
"line_count": 21847391284
}A few representative records from the JSON-formatted file at download_url:
{"sha256":"3a4b...e9","subject":"CN=*.acme.com","issuer":"CN=DigiCert TLS RSA SHA256 2020 CA1","not_before":"2024-03-12T00:00:00Z","not_after":"2025-04-12T23:59:59Z","sans":["acme.com","*.acme.com","api.acme.com"],"observed_at":"2024-03-13T08:14:00Z","source":"ct_log"}
{"sha256":"8c1d...a2","subject":"CN=login.contoso.io","issuer":"CN=Let's Encrypt R3","not_before":"2025-09-01T00:00:00Z","not_after":"2025-11-30T23:59:59Z","sans":["login.contoso.io"],"observed_at":"2025-09-02T10:00:00Z","source":"active_scan"}Workflows this feed powers directly.
Brand Impersonation Protection
Cluster fake-brand certificates by SAN graph, issuer pattern, or fingerprint. Catches impersonation infrastructure that simple domain matching misses.
Read the use caseAttack Surface Management
Build the full certificate inventory across your apex domains and subdomains. Surface forgotten certs and certificate sprawl across years.
Read the use caseIncident Investigation and Response
Pivot through certificate observations during incident reconstruction. The cert valid at the time of compromise is the one that matters.
Read the use case“Certificate-lineage analysis across years is impossible without a deep historical corpus. The 20B-record dataset gives us the certificate-rotation patterns that map directly to threat-actor infrastructure.”
Other historical feeds.
Historical DNS at 100B+ records.
Historical DNS record snapshots including A, AAAA, MX, NS, TXT, CNAME, and SOA. 100B+ records across the long tail of internet observation.
See feed DATA FEEDUp to 10 years of Whois history, in bulk.
Up to 10 years of historical Whois snapshots. 100B+ records covering registrar, registrant, dates, name servers, and status codes across every monitored TLD.
See feedGet the full SSL history, in bulk.
Most teams scope to an issuer or year range first. We'll set up token access and discuss partitioning that fits your workload.