Don't like ads? Go Ad-Free Today 

Certificate Transparency Log Lookup

DeveloperNetworkingSecurity

ADVERTISEMENT · REMOVE?

INPUT

OUTPUT

Server Side

ADVERTISEMENT · REMOVE?

Guide

Certificate Transparency Log Lookup

The Certificate Transparency Log Lookup queries public Certificate Transparency (CT) logs through the crt.sh aggregator to show every SSL/TLS certificate that has been issued for a domain. Enter a domain and instantly see which certificate authorities issued certificates, when they are valid, and which hostnames and subdomains they cover. Because the data comes from append-only public logs that browsers require for every trusted certificate, the results reflect real certificates in the wild — not guesses.

It is a fast way to audit your own certificate footprint, monitor for unexpected certificate issuance, and discover subdomains that may otherwise be hard to enumerate. It pairs naturally with an SSL certificate decoder and a security headers checker for a fuller picture of a site’s TLS posture.

How to Use

Enter a registered domain such as example.com.
Leave Include subdomains enabled to run a wildcard search and surface certificates issued for any subdomain.
Optionally tick Unexpired certificates only to hide certificates that are past their validity date.
Optionally tick Wildcard certificates only to show just the certificates that cover *. wildcard names.
Click Look up. Review the discovered names, then the certificate table with issuer, validity window, and a link to the full crt.sh record.

Features

Live CT log data – Reads real certificates from public Certificate Transparency logs via crt.sh, not static or cached lists.
Subdomain discovery – Wildcard search collects every hostname and Subject Alternative Name found across issued certificates.
Issuer and validity details – See the issuing certificate authority and the valid-from / valid-to dates for each certificate at a glance.
Smart filtering – Narrow results to unexpired certificates only or wildcard certificates only.
Clean de-duplication – Collapses duplicate pre-certificate and leaf log entries so each certificate appears once.
Direct crt.sh links – Jump to the full record for any certificate for deeper inspection.

ADVERTISEMENT · REMOVE?

 FAQ

What is Certificate Transparency?

Certificate Transparency (CT) is an open framework, defined in RFC 6962, for publicly logging every SSL/TLS certificate that a certificate authority issues. Logs are append-only and cryptographically verifiable, so certificates cannot be quietly removed once recorded. Modern browsers require certificates to be accompanied by proof of CT logging before they are trusted, which makes the ecosystem far more accountable.
How do Certificate Transparency logs improve security?

Because every issued certificate is recorded in a public log, domain owners and researchers can detect mis-issued or unauthorized certificates that might otherwise be used for phishing or interception. Monitoring CT logs lets an organization spot a rogue certificate for its domain shortly after it is issued, instead of discovering the problem only after an attack.
What is a Subject Alternative Name (SAN)?

A Subject Alternative Name is a field in an X.509 certificate that lists the hostnames the certificate is valid for. A single certificate can cover many SANs, including the bare domain, the www host, and additional subdomains or a wildcard such as *.example.com. Reading the SAN list across a domain's certificates is what reveals the full set of names that have been certified.
Why can Certificate Transparency logs reveal subdomains?

When a certificate is issued for a subdomain, that hostname is written into the certificate's Subject Alternative Name field and therefore into the public CT log. Searching the logs with a wildcard query returns every certificate whose names end in the target domain, exposing subdomains that are not linked anywhere publicly. This is why CT logs are a common, passive source for reconnaissance and asset inventory.