How does this tool discover subdomains from certificate logs?

When a certificate is issued for a domain, it includes all the hostnames it covers in the Subject Alternative Name (SAN) field. This tool queries the crt.sh database, which aggregates data from multiple CT logs, and extracts unique hostnames from the SAN fields. This technique can reveal subdomains that may not be discoverable through DNS enumeration, including internal systems, staging environments, and forgotten assets.

What makes a certificate suspicious according to this tool?

The tool flags several suspicious patterns: certificates from historically compromised CAs, wildcard certificates that could indicate overly broad access, very short validity periods that might indicate testing or malicious use, certificates from unknown or untrusted CAs, and potential typosquatting domains that closely resemble your legitimate domain. Each finding includes a risk assessment to help prioritize investigation.

What is the difference between DV, OV, and EV certificates?

DV (Domain Validation) certificates only verify domain ownership and are issued quickly with minimal checks. OV (Organization Validation) certificates verify the organization identity and require documentation. EV (Extended Validation) certificates require extensive verification including legal existence, operational presence, and authorization. Higher validation levels provide more assurance but DV certificates are equally secure for encryption purposes.

How can I use this tool for security monitoring?

You can use this tool to establish a baseline of legitimate certificates for your domains and then periodically check for new certificates. Any unexpected certificates could indicate unauthorized access to your domain verification process, a compromised CA, or an attacker attempting to intercept your traffic. Security teams often integrate CT monitoring into their threat detection workflows to catch certificate-based attacks early.

Why do some domains show hundreds or thousands of certificates?

Domains with many certificates typically belong to organizations that frequently rotate certificates, use automation like Lets Encrypt with short validity periods, or operate many subdomains. CDN providers, cloud platforms, and large enterprises often have numerous certificates due to auto-renewal policies and distributed infrastructure. The tool provides CA distribution analysis to help identify patterns in certificate issuance.

What export formats are available for certificate data?

The tool supports three export formats to suit different use cases. JSON export provides structured data ideal for programmatic analysis or integration with security tools. CSV export is compatible with spreadsheets and databases for reporting and trend analysis. TXT export provides a simple list of subdomains that can be used as input for other reconnaissance or vulnerability scanning tools.

Home/Tools/Security/Certificate Transparency Lookup

Certificate Transparency Lookup

Loading Certificate Transparency Lookup...

Domain Name

Domain to search for certificates

Include Expired

Include Wildcards

Sort By

Sort order for results

Loading interactive tool...

JavaScript Required

This interactive tool requires JavaScript to function. Please enable JavaScript in your browser to use the full features.

The tool description and documentation above provide information about this tool's capabilities. For the best experience, please enable JavaScript and refresh the page.

Detecting Phishing Domains?

CT logs reveal fraudulent certificates. Our team monitors for brand impersonation and domain abuse.

Learn About Risk Assessment Explore vCISO Services

What Is Certificate Transparency

Certificate Transparency (CT) is an open framework for monitoring and auditing the issuance of TLS/SSL certificates. Created by Google and standardized in RFC 6962, CT requires Certificate Authorities (CAs) to log every certificate they issue into publicly auditable, append-only logs. This allows domain owners, security researchers, and browsers to detect misissued or unauthorized certificates—a critical defense against man-in-the-middle attacks and CA compromise.

Before CT, a compromised or rogue CA could issue certificates for any domain without detection. Notable incidents—like the DigiNotar breach (2011) and Symantec's misissued certificates (2015-2017)—demonstrated the need for transparency. Since 2018, Google Chrome requires all publicly trusted certificates to be logged in CT logs, making CT a foundational component of web security.

How Certificate Transparency Works

The CT system involves three components:

CT Logs: Publicly accessible, append-only servers that record certificate data. Each log entry includes the certificate, a timestamp, and a Signed Certificate Timestamp (SCT) proving the log received it. Major logs are operated by Google (Argon, Xenon), Cloudflare (Nimbus), and Let's Encrypt (Oak).

Monitors: Services that watch CT logs for new certificates. Domain owners use monitors to detect certificates issued for their domains—authorized or not. If an unauthorized certificate appears, it indicates a potential compromise or CA misbehavior.

Auditors: Verify that logs are behaving honestly—that entries are not being removed or modified after insertion.

Component	Role	Examples
CT Log	Store certificate records	Google Argon, Cloudflare Nimbus
Monitor	Watch for new certificates	crt.sh, Facebook CT Monitor
Auditor	Verify log integrity	Browser-based verification

Common Use Cases

Domain monitoring: Detect unauthorized certificates issued for your domains, indicating potential CA compromise or phishing infrastructure
Threat intelligence: Search CT logs for certificates registered to lookalike domains used in phishing campaigns
Certificate inventory: Discover all certificates ever issued for your organization's domains across all CAs
Incident response: Investigate suspicious TLS infrastructure by examining certificate details and issuance history
Compliance auditing: Verify that all certificates in your environment are properly logged in CT

Best Practices

Monitor your domains continuously — Set up automated alerts for new certificates issued for your domains using services like crt.sh or Facebook's CT monitor
Search for lookalike domains — Regularly search CT logs for certificates on domains similar to yours (typosquatting, homograph attacks)
Verify SCTs in certificates — Modern browsers check for Signed Certificate Timestamps; ensure your CA includes them
Use CT data for certificate inventory — CT logs are the most comprehensive source of all publicly trusted certificates for your domains
Investigate unexpected certificates immediately — An unauthorized certificate for your domain could indicate a CA compromise or an active man-in-the-middle attack

Frequently Asked Questions

Common questions about the Certificate Transparency Lookup

Certificate Transparency (CT) is a public logging system that records all SSL/TLS certificates issued by Certificate Authorities. It was created to detect misissued or fraudulent certificates that could be used for man-in-the-middle attacks. By monitoring CT logs, organizations can discover unauthorized certificates issued for their domains and detect potential security threats before they cause harm.

ℹ️ Disclaimer

This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.