diff --git a/cmd/amass/enum.go b/cmd/amass/enum.go
index 3981d44a..917c4a18 100644
--- a/cmd/amass/enum.go
+++ b/cmd/amass/enum.go
@@ -73,6 +73,8 @@ type enumArgs struct {
 		Silent          bool
 		Sources         bool
 		Verbose         bool
+		NoCerts         bool
+		NoAxfr          bool
 	}
 	Filepaths struct {
 		AllFilePrefix    string
@@ -128,6 +130,8 @@ func defineEnumOptionFlags(enumFlags *flag.FlagSet, args *enumArgs) {
 	enumFlags.BoolVar(&args.Options.Silent, "silent", false, "Disable all output during execution")
 	enumFlags.BoolVar(&args.Options.Sources, "src", false, "Print data sources for the discovered names")
 	enumFlags.BoolVar(&args.Options.Verbose, "v", false, "Output status / debug / troubleshooting info")
+	enumFlags.BoolVar(&args.Options.NoCerts, "nocerts", false, "Disables certificate name grabs when -active mode is enabled")
+	enumFlags.BoolVar(&args.Options.NoAxfr, "noaxfr", false, "Disables zone transfers when -active mode is enabled")
 }
 
 func defineEnumFilepathFlags(enumFlags *flag.FlagSet, args *enumArgs) {
@@ -369,9 +373,19 @@ func argsAndConfig(clArgs []string) (*config.Config, *enumArgs) {
 		r.Fprintln(color.Error, "IP addresses cannot be provided without DNS resolution")
 		os.Exit(1)
 	}
-	if !cfg.Active && len(args.Ports) > 0 {
-		r.Fprintln(color.Error, "Ports can only be scanned in the active mode")
-		os.Exit(1)
+	if !cfg.Active {
+		if len(args.Ports) > 0 {
+			r.Fprintln(color.Error, "Ports can only be scanned in the active mode")
+			os.Exit(1)
+		}
+		if args.Options.NoCerts {
+			r.Fprintln(color.Error, "Certificate name grabbing can only be disabled in the active mode")
+			os.Exit(1)
+		}
+		if args.Options.NoAxfr {
+			r.Fprintln(color.Error, "Zone transfers can only be disabled in the active mode")
+			os.Exit(1)
+		}
 	}
 	if len(cfg.Domains()) == 0 {
 		r.Fprintln(color.Error, "Configuration error: No root domain names were provided")
@@ -653,7 +667,7 @@ func processEnumInputFiles(args *enumArgs) error {
 		for _, f := range args.Filepaths.Resolvers {
 			list, err := config.GetListFromFile(f)
 			if err != nil {
-				return fmt.Errorf("Failed to parse the esolver file: %v", err)
+				return fmt.Errorf("Failed to parse the resolver file: %v", err)
 			}
 			args.Resolvers.InsertMany(list...)
 		}
@@ -730,6 +744,12 @@ func (e enumArgs) OverrideConfig(conf *config.Config) error {
 	if e.MaxDNSQueries > 0 {
 		conf.MaxDNSQueries = e.MaxDNSQueries
 	}
+	if e.Options.NoCerts {
+		conf.NoCerts = true
+	}
+	if e.Options.NoAxfr {
+		conf.NoAxfr = true
+	}
 
 	if len(e.Included) > 0 {
 		conf.SourceFilter.Include = true
diff --git a/config/config.go b/config/config.go
index 19aed46f..5f440441 100644
--- a/config/config.go
+++ b/config/config.go
@@ -118,9 +118,15 @@ type Config struct {
 	// Only access the data sources for names and return results?
 	Passive bool
 
-	// Determines if zone transfers will be attempted
+	// Determines if zone transfers and ssl certification extraction will be attempted
 	Active bool
 
+	// Determines if certificate name grabbing will be attempted
+	NoCerts bool
+
+	// Determines if zone transfers will be attempted
+	NoAxfr bool
+
 	// A blacklist of subdomain names that will not be investigated
 	Blacklist     []string
 	blacklistLock sync.Mutex
diff --git a/doc/user_guide.md b/doc/user_guide.md
index 75ab7286..256d8932 100644
--- a/doc/user_guide.md
+++ b/doc/user_guide.md
@@ -131,6 +131,8 @@ This subcommand will perform DNS enumeration and network mapping while populatin
 | -src | Print data sources for the discovered names | amass enum -src -d example.com |
 | -timeout | Number of minutes to execute the enumeration | amass enum -timeout 30 -d example.com |
 | -w | Path to a different wordlist file | amass enum -brute -w wordlist.txt -d example.com |
+| -nocerts | Disables certificate name grabs when -active mode is enabled | amass enum -active -nocerts -d example.com
+| -noaxfr | Disables zone transfers when -active mode is enabled | amass enum -active -noaxfr -d example.com
 
 ### The 'viz' Subcommand
 
diff --git a/enum/active.go b/enum/active.go
index 1fa51f5c..c798d163 100644
--- a/enum/active.go
+++ b/enum/active.go
@@ -70,9 +70,13 @@ func (a *activeTask) Process(ctx context.Context, data pipeline.Data, tp pipelin
 	case *requests.DNSRequest:
 		ok = true
 	case *requests.AddrRequest:
-		ok = true
+		if !a.enum.Config.NoCerts {
+			ok = true
+		}
 	case *requests.ZoneXFRRequest:
-		ok = true
+		if !a.enum.Config.NoAxfr {
+			ok = true
+		}
 	}
 
 	if ok {
@@ -115,12 +119,14 @@ func (a *activeTask) processTask() {
 		case *requests.DNSRequest:
 			go a.crawlName(args.Ctx, v, args.Params)
 		case *requests.AddrRequest:
-			if v.InScope {
+			if v.InScope && !a.enum.Config.NoCerts {
 				go a.certEnumeration(args.Ctx, v, args.Params)
 			}
 		case *requests.ZoneXFRRequest:
-			go a.zoneTransfer(args.Ctx, v, args.Params)
-			go a.zoneWalk(args.Ctx, v, args.Params)
+			if !a.enum.Config.NoAxfr {
+				go a.zoneTransfer(args.Ctx, v, args.Params)
+				go a.zoneWalk(args.Ctx, v, args.Params)
+			}
 		}
 	}
 }