Find all SSL certificates and subdomains via Certificate Transparency logs
This free tool performs an SSL certificate and subdomain search via CT logs — the public Certificate Transparency logs that record every TLS/SSL certificate issued by participating certificate authorities. Because publicly trusted certificates must be logged, those records are an open-source intelligence goldmine: by querying the certificate history for a domain (via crt.sh), the tool surfaces a count of issued certificates, a list of discovered subdomains, and details of recent certificates including common name, validity window, and issuer.
Certificate Transparency was created so that mis-issued or rogue SSL certificates could be detected. For investigators and security teams, the same logs double as a passive reconnaissance source: subdomains that never appear in public DNS or links often show up because someone requested a certificate for them. Mapping a target's certificate footprint helps reveal staging environments, internal-sounding hostnames, vendor infrastructure, and the certificate authorities an organisation relies on.
Enter a registrable domain such as example.com. The card shows the total certificates seen in CT logs and the number of unique subdomains found, followed by a sample of discovered subdomains and the most recent certificates with their issue and expiry dates. Treat the subdomain list as candidates: a hostname in a certificate proves a certificate was requested, not that the host is currently live, so confirm with DNS resolution before acting. Pair this with WHOIS and DNS data to build a full picture of an organisation's external attack surface.
This SSL certificate and subdomain search works well alongside the WHOIS domain registration lookup to identify the registrar and owner, the domain reconnaissance scanner for a wider footprint sweep, and the IP address geolocation lookup to investigate the infrastructure each subdomain resolves to.
CT logs are public, append-only records of SSL/TLS certificates issued by trusted certificate authorities. They were introduced to let domain owners and the public detect mis-issued certificates, and they make historical certificate data searchable for anyone.
When a certificate is issued for a hostname, that hostname is recorded in the CT logs. By reading every logged certificate for a domain, the tool extracts the subject and subject-alternative-name entries to assemble a list of subdomains — including ones that may not be publicly linked.
No. A certificate proves only that one was requested for that hostname at some point. The host may be offline, decommissioned, or never deployed. Always verify with a fresh DNS lookup before drawing conclusions.