CT Subdomain Finder
Find every subdomain and TLS certificate a domain published to Certificate Transparency logs. Passive recon via crt.sh on the edge — no packets to the target.
published
- [FREE]
- [NO_SIGNUP]
- [USES_SERVER]
⚠ Unlike most of the site, this tool runs one request on a server because your browser cannot make it directly. It keeps none of your input — see the tool and the privacy page.
A subdomain finder built on Certificate Transparency recovers the hostnames a domain has published — passively, from a public record, without ever touching the target.
How it works
Browsers require that every publicly-trusted TLS certificate be logged to Certificate Transparency (CT) logs — public, append-only ledgers defined by RFC 6962. Each certificate lists the hostnames it covers (its Subject Alternative Names). So the CT logs are, in effect, a running list of every subdomain that has ever been given an HTTPS certificate.
This tool queries public CT aggregators — Certspotter as the primary, with crt.sh as a fallback — dedupes the rows into one entry per hostname, and shows each with the earliest certificate date, the latest expiry, and the issuing CA.
Why this tool has a server (most of the site doesn’t)
Almost every tool here runs entirely in your browser. This one can’t: a browser is blocked by CORS from fetching crt.sh directly, and the result needs server-side parsing. So it runs the query on a Cloudflare Pages Function at /api/ct and hands back the hostnames. The domain you enter is a public lookup — the same kind as a DNS lookup — not private input.
What gets stored
The hostnames CT reveals are public record, and we cache them (with the date we first observed each) to power an optional Watch feature — alerts when a new subdomain or certificate appears, or a cert nears expiry. There is no account, no email, and no cookie tying searches to you. If you want a tool that keeps literally nothing, the DNS lookup is a pure proxy.
What it’s good for
- Attack-surface review — see every subdomain of your own domain that has a certificate, including forgotten staging and dev hosts.
- Authorized security testing — passive recon that never touches the target.
- Cert hygiene — spot certificates nearing expiry, or issuers you didn’t expect.
Use it only on domains you own or are authorized to test.
Reading the result
Each row is a hostname. A ✶ marks a wildcard (*.example.com) certificate. First cert is the earliest not_before seen; Latest expiry is the latest not_after. A domain with no rows simply has no public certificates logged yet — it may be new, internal-only, or covered solely by a wildcard.
Related tools
- DNS Lookup — resolve A, MX, TXT, CNAME and more for a domain. Pure proxy, stores nothing.
- Email Auth Checker — grade a domain’s SPF, DKIM, and DMARC.
- HTTP Header Checker — inspect response headers and grade security headers.
- What’s My IP — your public IP, ASN, and connection details.
Frequently asked questions
How does finding subdomains from Certificate Transparency work?
Every time a certificate authority issues a TLS certificate, it must log it to public, append-only Certificate Transparency (CT) logs (mandated by RFC 6962 and enforced by browsers). Each certificate lists the hostnames it covers. So by reading the CT logs for a domain you recover the subdomains that have ever had a certificate — without sending a single packet to the target. This tool queries the crt.sh CT aggregator and dedupes the results into one row per hostname.
Is this legal, and does it touch the target server?
Yes, and no. CT logs are a public record by design. Enumerating them is completely passive — the lookup goes to crt.sh, never to the domain you are researching, so it generates zero traffic to the target. This is the safe, ToS-friendly way to discover subdomains, unlike active port/DNS brute-forcing. Use it for your own attack-surface review or authorized security testing only.
Why does this tool use a server when most tools here run in the browser?
A browser cannot make a cross-origin request to crt.sh (CORS blocks it), and CT log parsing needs server-side fetching. So this tool relays the query on Cloudflare's edge and returns the result. The domain you enter is a public lookup — the same kind as a DNS query — not private input.
Do you store the domains I search?
We cache the discovered public hostnames (with the date we first observed each one) to power an optional domain-watch feature. That is public Certificate Transparency data, not anything private to you: no account, no email, no cookie tying searches to you. The domain you type is a public lookup like a DNS query.
Why are some results missing or different from another CT search?
CT only shows hostnames that have had a logged certificate. A subdomain that never got a public TLS cert (internal-only, or behind a wildcard) will not appear. Results also depend on how fresh crt.sh's index is and which logs it monitors. A hostname covered only by a *.example.com wildcard shows as the wildcard, not the specific subdomain.
Is it free, and is there a limit?
The finder is free with no signup. crt.sh is sometimes slow or overloaded — if a search times out, wait a moment and retry. A paid Watch feature (alerts when a new subdomain or certificate appears, or a cert nears expiry) is the optional upgrade; the finder itself stays free.