Certificate Transparency

The Certificate Transparency tool searches public CT logs for SSL/TLS certificates that have been issued for a given domain. Certificate Transparency is an open framework, backed by browsers and certificate authorities, in which every publicly trusted certificate must be recorded in append-only, cryptographically verifiable logs. By querying these logs you can see the full history of certificates issued for a domain, including the issuing CA, validity dates, and any subdomains that appeared in the certificate's Subject Alternative Names.

The tool queries CT log aggregators (such as crt.sh-style data sources) and returns matching certificate records for the domain and its subdomains. Because CAs are required to log certificates before browsers will trust them, the results are effectively a complete public ledger of who issued what and when. This makes it possible to enumerate subdomains that a normal DNS scan might miss, since a wildcard or named certificate often reveals hostnames that are not otherwise advertised.

Security teams use CT log searches to detect unauthorized or rogue certificates issued for their domains, an early warning sign of phishing infrastructure or a compromised CA account. Penetration testers and bug bounty hunters mine the logs for forgotten staging, admin, and internal subdomains to expand their attack surface map. Operations teams use it to inventory which CAs have issued certificates and to confirm that a newly requested certificate has been logged and is therefore browser-trusted.

Practical tips: searching the apex domain with subdomain expansion is the fastest way to discover shadow infrastructure, but expect duplicates because each renewal and each precertificate creates a separate log entry. Certificates can appear in the logs minutes to hours before they go live, so CT is also useful for spotting upcoming launches. Combine the findings with an SSL checker to inspect the live certificate currently served on each host you discover.