Search Certificate Transparency logs to find all SSL/TLS certificates issued for a domain. Monitor for unauthorized certificates.
Certificate Transparency provides a critical security layer for the web's PKI infrastructure.
• Detect fraudulent certificates
• Monitor unauthorized certificate issuance
• Find typosquatting domains
• Discover shadow IT and forgotten subdomains
• Track certificate expiration dates
• Comprehensive subdomain enumeration
• Historical certificate data
• Identify development/staging environments
• Map infrastructure footprint
• Discover API endpoints
Certificate Transparency (CT) is an open framework for monitoring and auditing the issuance of TLS/SSL certificates. Created by Google and standardized in RFC 6962, CT requires Certificate Authorities (CAs) to log every certificate they issue into publicly auditable, append-only logs. This allows domain owners, security researchers, and browsers to detect misissued or unauthorized certificates—a critical defense against man-in-the-middle attacks and CA compromise.
Before CT, a compromised or rogue CA could issue certificates for any domain without detection. Notable incidents—like the DigiNotar breach (2011) and Symantec's misissued certificates (2015-2017)—demonstrated the need for transparency. Since 2018, Google Chrome requires all publicly trusted certificates to be logged in CT logs, making CT a foundational component of web security.
The CT system involves three components:
CT Logs: Publicly accessible, append-only servers that record certificate data. Each log entry includes the certificate, a timestamp, and a Signed Certificate Timestamp (SCT) proving the log received it. Major logs are operated by Google (Argon, Xenon), Cloudflare (Nimbus), and Let's Encrypt (Oak).
Monitors: Services that watch CT logs for new certificates. Domain owners use monitors to detect certificates issued for their domains—authorized or not. If an unauthorized certificate appears, it indicates a potential compromise or CA misbehavior.
Auditors: Verify that logs are behaving honestly—that entries are not being removed or modified after insertion.
| Component | Role | Examples |
|---|---|---|
| CT Log | Store certificate records | Google Argon, Cloudflare Nimbus |
| Monitor | Watch for new certificates | crt.sh, Facebook CT Monitor |
| Auditor | Verify log integrity | Browser-based verification |
Certificate Transparency (CT) is a public logging system that records all SSL/TLS certificates issued by Certificate Authorities. It was created to detect misissued or fraudulent certificates that could be used for man-in-the-middle attacks. By monitoring CT logs, organizations can discover unauthorized certificates issued for their domains and detect potential security threats before they cause harm.
When a certificate is issued for a domain, it includes all the hostnames it covers in the Subject Alternative Name (SAN) field. This tool queries the crt.sh database, which aggregates data from multiple CT logs, and extracts unique hostnames from the SAN fields. This technique can reveal subdomains that may not be discoverable through DNS enumeration, including internal systems, staging environments, and forgotten assets.
The tool flags several suspicious patterns: certificates from historically compromised CAs, wildcard certificates that could indicate overly broad access, very short validity periods that might indicate testing or malicious use, certificates from unknown or untrusted CAs, and potential typosquatting domains that closely resemble your legitimate domain. Each finding includes a risk assessment to help prioritize investigation.
DV (Domain Validation) certificates only verify domain ownership and are issued quickly with minimal checks. OV (Organization Validation) certificates verify the organization identity and require documentation. EV (Extended Validation) certificates require extensive verification including legal existence, operational presence, and authorization. Higher validation levels provide more assurance but DV certificates are equally secure for encryption purposes.
You can use this tool to establish a baseline of legitimate certificates for your domains and then periodically check for new certificates. Any unexpected certificates could indicate unauthorized access to your domain verification process, a compromised CA, or an attacker attempting to intercept your traffic. Security teams often integrate CT monitoring into their threat detection workflows to catch certificate-based attacks early.
Domains with many certificates typically belong to organizations that frequently rotate certificates, use automation like Lets Encrypt with short validity periods, or operate many subdomains. CDN providers, cloud platforms, and large enterprises often have numerous certificates due to auto-renewal policies and distributed infrastructure. The tool provides CA distribution analysis to help identify patterns in certificate issuance.
The tool supports three export formats to suit different use cases. JSON export provides structured data ideal for programmatic analysis or integration with security tools. CSV export is compatible with spreadsheets and databases for reporting and trend analysis. TXT export provides a simple list of subdomains that can be used as input for other reconnaissance or vulnerability scanning tools.