diff --git a/pkgs/tools/security/certgraph/default.nix b/pkgs/tools/security/certgraph/default.nix
new file mode 100644
index 00000000000..f15ec8f89e0
--- /dev/null
+++ b/pkgs/tools/security/certgraph/default.nix
@@ -0,0 +1,25 @@
+{ lib
+, buildGoModule
+, fetchFromGitHub
+}:
+
+buildGoModule rec {
+  pname = "certgraph";
+  version = "20210224";
+
+  src = fetchFromGitHub {
+    owner = "lanrat";
+    repo = pname;
+    rev = version;
+    sha256 = "14l2bls25xwd8gnsmshc588br72rwz1s0gjnsnqksri4ksqkdqlz";
+  };
+
+  vendorSha256 = "1vih64z0zwmaflc0pwvnwyj5fhrc8qfp0kvrz73nnfpcrcan2693";
+
+  meta = with lib; {
+    description = "Intelligence tool to crawl the graph of certificate alternate names";
+    homepage = "https://github.com/lanrat/certgraph";
+    license = with licenses; [ gpl2Only ];
+    maintainers = with maintainers; [ fab ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index f7a38a408f8..837fce095bd 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -236,6 +236,8 @@ with pkgs;
 
   cereal = callPackage ../development/libraries/cereal { };
 
+  certgraph = callPackage ../tools/security/certgraph { };
+
   cewl = callPackage ../tools/security/cewl { };
 
   checkov = callPackage ../development/tools/analysis/checkov {};