For each IP that has a certificate (regardless of port) query the serial and/or cn/SANs against CT log to see if it exists in the dataset. If the certificate is visible within CT logs, pull that info (this is similar to what censys.io does presently, but their scans miss a lot of ports and hosts). From the UX perspective, make the tag (ex: in_ct) searchable and visible to the end user. example search: ssl "string" AND tag:in_ct WHERE cert_expired:FALSE. You could also make the tag itself click searchable from within the UI; example workflow: user looks at IP, sees cert serial, clickable leads to information about cert and how many hosts presently serve it.
Note: there are a number of ways to do this, but the simplest would be to maintain your own local index of the CT logs and query against them - use something akin to axeman
For each IP that has a certificate (regardless of port) query the serial and/or cn/SANs against CT log to see if it exists in the dataset. If the certificate is visible within CT logs, pull that info (this is similar to what censys.io does presently, but their scans miss a lot of ports and hosts). From the UX perspective, make the tag (ex: in_ct) searchable and visible to the end user. example search: ssl "string" AND tag:in_ct WHERE cert_expired:FALSE. You could also make the tag itself click searchable from within the UI; example workflow: user looks at IP, sees cert serial, clickable leads to information about cert and how many hosts presently serve it.
Note: there are a number of ways to do this, but the simplest would be to maintain your own local index of the CT logs and query against them - use something akin to axeman