Domain Certificate Audit
Search Certificate Transparency logs for every SSL certificate ever issued to a domain. Reveals subdomains, historical issuance, and issuing authorities.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What is Certificate Transparency and why query it?
Certificate Transparency (CT) is a public log system where every certificate issued by a CA must be submitted before browsers trust it. These logs are permanent and publicly searchable. This tool queries crt.sh, which aggregates all major CT logs, to find every certificate ever issued for your domain — including historical and expired ones.
How can I use this to discover subdomains?
Every SSL certificate covers domain names in its Subject Alternative Names (SAN) field. By searching CT logs for %.example.com, you see every subdomain that has ever had a certificate — including staging, dev, and internal systems not publicly advertised. This is a standard first step in security reconnaissance and attack surface mapping.
What do wildcard certificates look like in the results?
Wildcard certificates cover *.example.com (any single-level subdomain) and appear with an asterisk. This tool counts them separately from explicit subdomain certificates. Note that *.example.com does NOT cover a.b.example.com — sub-subdomains require their own certificate or a second wildcard level.
Why do I see certificates I didn't issue?
CT logs record all certificates, including misissuance by CAs or certificates issued for your domain by a third-party service. If you see unexpected certificates, add a CAA DNS record restricting which CAs may issue for your domain, and report any misissuance directly to the CA. CAA records are checked by all compliant CAs before issuance.
How recent are the results?
Results come directly from crt.sh in real time. Newly issued certificates typically appear within minutes of issuance. CT logs are append-only, so every historical certificate remains visible indefinitely — expired and revoked certificates are included in the results.