🔐 Certificate Transparency Monitor

Discover every SSL/TLS certificate ever issued for a domain via CT logs. Uncovers subdomains, staging environments, internal hostnames, wildcard certs, and certificate authority patterns.

Queries crt.sh via Cloudflare Worker proxy · Last updated February 10, 2026

0
Certificates
0
Unique Subs
0
Wildcards
0
Internal
0
Expired
0
Issuers

How does Certificate Transparency monitoring reveal hidden infrastructure?

Certificate Transparency (CT) is a public logging framework defined in RFC 6962 that requires Certificate Authorities to publish every SSL/TLS certificate they issue to append-only, cryptographically verifiable logs. Max Intel's CT Monitor queries crt.sh, a CT log search engine maintained by Sectigo that indexes certificates from all major CT logs. Each certificate's Common Name (CN) and Subject Alternative Name (SAN) fields list the hostnames it covers — revealing subdomains that may not appear in DNS records, search engine results, or active web crawls. According to the OWASP Testing Guide v4.2, CT log analysis is a recommended passive reconnaissance technique because it discovers infrastructure the target organization may not realize is publicly visible.

Why are internal hostnames in CT logs a security risk?

Organizations frequently obtain SSL/TLS certificates for internal services — staging servers, CI/CD pipelines, monitoring dashboards, VPN endpoints, and database servers. These certificates appear in CT logs alongside public-facing certificates, exposing internal naming conventions and infrastructure topology. The SANS Institute attack surface mapping methodology identifies CT log enumeration as a critical step because internal hostnames like jenkins.corp.example.com, grafana.internal.example.com, or db-master-01.example.com reveal the specific technologies and architecture an organization uses — information that significantly reduces the effort required for targeted attacks.

What do the five analysis views reveal?

The Certificates table shows every certificate with issuer, validity dates, and SAN count — sortable and filterable by active, expired, wildcard, or internal status. The Subdomains view deduplicates hostnames across all certificates, showing first-seen and last-seen dates that indicate how long each subdomain has existed. The Domain Tree visualizes the subdomain hierarchy as a collapsible tree structure, making organizational patterns visible at a glance. The Timeline chart plots certificate issuance and expiration periods for the top 40 subdomains, revealing certificate rotation patterns and gaps. The Issuers view shows which Certificate Authorities the organization uses, which can indicate vendor relationships, automation practices (Let's Encrypt suggests automated provisioning), or enterprise CA deployments.

Certificate Transparency (CT)
A public logging framework (RFC 6962) requiring Certificate Authorities to publish every issued certificate to append-only logs, enabling domain owners and researchers to detect misissued or unauthorized certificates.
Subject Alternative Name (SAN)
An X.509 certificate extension that allows a single certificate to cover multiple hostnames. SAN fields are the primary source of subdomain discovery in CT log analysis, as modern certificates list all covered domains here rather than in the Common Name field.
crt.sh
A free CT log search engine operated by Sectigo (formerly Comodo CA) that indexes certificates from all major Certificate Transparency logs, providing a JSON API for programmatic queries by domain name.
Wildcard Certificate
A certificate that uses an asterisk (e.g., *.example.com) to cover all subdomains at one level of a domain. Organizations using wildcard certificates expose fewer specific hostnames in CT logs compared to those using individual certificates per subdomain.

🔐 Certificate Transparency Monitor — Frequently Asked Questions

How does Certificate Transparency log monitoring discover subdomains?

Certificate Transparency (CT) is a public logging framework that requires Certificate Authorities to publish every SSL/TLS certificate they issue. Max Intel queries crt.sh, a CT log aggregator maintained by Sectigo, which indexes certificates from all major CT logs. Each certificate contains a Common Name (CN) and Subject Alternative Names (SANs) that list every hostname the certificate covers — revealing subdomains that may not appear in DNS records, search engines, or web crawls.

What are internal hostnames and why are they significant in CT logs?

Internal hostnames are subdomains that suggest non-public infrastructure: staging servers, development environments, VPNs, CI/CD pipelines (Jenkins, GitLab), monitoring systems (Grafana, Kibana), and database servers. These appear in CT logs when organizations obtain SSL certificates for internal services. Discovering these hostnames reveals infrastructure that was never intended to be publicly known, which is valuable for security assessments and attack surface mapping.

What is the difference between wildcard and single-domain certificates in CT logs?

A single-domain certificate covers specific hostnames listed in the CN and SAN fields (e.g., www.example.com, api.example.com). A wildcard certificate uses an asterisk to cover all subdomains at one level (e.g., *.example.com). Organizations that use wildcard certificates reveal fewer specific subdomains in CT logs, while those using single-domain certificates expose every hostname they secure — making CT log analysis more productive for reconnaissance.

SSL/TLS Analyzer

Certificate and cipher analysis.

Domain Recon

Complete domain reconnaissance.

DNS Deep Resolver

DNS analysis and passive DNS.

Subdomain Takeover

Detect dangling CNAMEs.